{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# **MITRE ATT&CK API BASICS**: Python Client\n",
    "------------------"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Import ATTACK API Client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 1,
   "metadata": {},
   "outputs": [],
   "source": [
    "from attackcti import attack_client"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Import Extra Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 2,
   "metadata": {},
   "outputs": [],
   "source": [
    "from pandas import *\n",
    "from pandas.io.json import json_normalize\n",
    "import json"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 3,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "'0.25.0'"
      ]
     },
     "execution_count": 3,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "pandas.__version__"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Initialize ATT&CK Client Variable"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 4,
   "metadata": {},
   "outputs": [],
   "source": [
    "lift = attack_client()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## **Collect (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**\n",
    "* I usually collect all the stix object types available from all the ATT&CK Matrices first when I want to analyze ATT&CK's data.\n",
    "* In this section, we will collect everything from Enterprise ATT&CK, PRE-ATT&CK and Mobile ATT&CK via three functions that query ATT&CK content available in STIX™ 2.0 format via its own public TAXII™ 2.0 server:\n",
    "  * get_enterprise()\n",
    "  * get_pre()\n",
    "  * get_mobile()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Collect ALL Enterprise ATT&CK (TAXII)**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 5,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "CPU times: user 5.18 s, sys: 820 ms, total: 6 s\n",
      "Wall time: 11.7 s\n"
     ]
    }
   ],
   "source": [
    "%time all_enterprise = lift.get_enterprise()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Collect ALL PRE-ATT&CK (TAXII)**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 6,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "CPU times: user 170 ms, sys: 100 ms, total: 270 ms\n",
      "Wall time: 1.52 s\n"
     ]
    }
   ],
   "source": [
    "%time all_pre = lift.get_pre()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Collect ALL Mobile ATT&CK (TAXII)**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 7,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "CPU times: user 640 ms, sys: 120 ms, total: 760 ms\n",
      "Wall time: 2.98 s\n"
     ]
    }
   ],
   "source": [
    "%time all_mobile = lift.get_mobile()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## **Collect ALL (It runs All 3 previous functions and collects all the results)**"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "The **get_stix_objects()** function returns a dictionary with all the stix object types from all matrices:\n",
    "* techniques\n",
    "* mitigations\n",
    "* groups\n",
    "* malware\n",
    "* tools\n",
    "* relationships"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 8,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "CPU times: user 51 s, sys: 730 ms, total: 51.7 s\n",
      "Wall time: 1min\n"
     ]
    }
   ],
   "source": [
    "%time all_attack = lift.get_stix_objects()"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 9,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "dict"
      ]
     },
     "execution_count": 9,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "type(all_attack)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Techniques from ATT&CK Results (Locally - STIX format)\n",
    "* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 10,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in ATT&CK\n",
      "500\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in ATT&CK\")\n",
    "print(len(all_attack['techniques']))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "* By default, the data returned by the available functions in the attackcti library is of type **stix2**\n",
    "* However, if you want to interact with libraries such as **Pandas**, it needs to be of type **dict**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 11,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created</th>\n",
       "      <th>name</th>\n",
       "      <th>x_mitre_data_sources</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>2019-04-25T20:53:07.719Z</td>\n",
       "      <td>Compile After Delivery</td>\n",
       "      <td>[Process command-line parameters, Process moni...</td>\n",
       "      <td>[Linux, macOS, Windows]</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>2019-04-23T15:34:30.008Z</td>\n",
       "      <td>Systemd Service</td>\n",
       "      <td>[Process command-line parameters, Process moni...</td>\n",
       "      <td>[Linux]</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>2019-04-18T11:00:55.862Z</td>\n",
       "      <td>Endpoint Denial of Service</td>\n",
       "      <td>[SSL/TLS inspection, Web logs, Web application...</td>\n",
       "      <td>[Linux, macOS, Windows]</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>2019-04-17T22:22:24.505Z</td>\n",
       "      <td>Virtualization/Sandbox Evasion</td>\n",
       "      <td>[Process monitoring, Process command-line para...</td>\n",
       "      <td>[Windows]</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>2019-04-17T20:23:15.105Z</td>\n",
       "      <td>Network Denial of Service</td>\n",
       "      <td>[Sensor health and status, Network protocol an...</td>\n",
       "      <td>[Linux, macOS, Windows]</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                    created                            name  \\\n",
       "0  2019-04-25T20:53:07.719Z          Compile After Delivery   \n",
       "1  2019-04-23T15:34:30.008Z                 Systemd Service   \n",
       "2  2019-04-18T11:00:55.862Z      Endpoint Denial of Service   \n",
       "3  2019-04-17T22:22:24.505Z  Virtualization/Sandbox Evasion   \n",
       "4  2019-04-17T20:23:15.105Z       Network Denial of Service   \n",
       "\n",
       "                                x_mitre_data_sources        x_mitre_platforms  \n",
       "0  [Process command-line parameters, Process moni...  [Linux, macOS, Windows]  \n",
       "1  [Process command-line parameters, Process moni...                  [Linux]  \n",
       "2  [SSL/TLS inspection, Web logs, Web application...  [Linux, macOS, Windows]  \n",
       "3  [Process monitoring, Process command-line para...                [Windows]  \n",
       "4  [Sensor health and status, Network protocol an...  [Linux, macOS, Windows]  "
      ]
     },
     "execution_count": 11,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques = []\n",
    "for t in all_attack['techniques']:\n",
    "    techniques.append(json.loads(t.serialize()))\n",
    "df = json_normalize(techniques)\n",
    "df.reindex(['created','name', 'x_mitre_data_sources', 'x_mitre_platforms'], axis=1)[0:5]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Techniques**"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "This schema covers techniques from Enterprise, PRE and Mobile ATT&CK"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 12,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['external_references',\n",
       " 'object_marking_refs',\n",
       " 'type',\n",
       " 'modified',\n",
       " 'created_by_ref',\n",
       " 'kill_chain_phases',\n",
       " 'id',\n",
       " 'name',\n",
       " 'created',\n",
       " 'description',\n",
       " 'x_mitre_contributors',\n",
       " 'x_mitre_permissions_required',\n",
       " 'x_mitre_data_sources',\n",
       " 'x_mitre_detection',\n",
       " 'x_mitre_platforms',\n",
       " 'x_mitre_version',\n",
       " 'x_mitre_system_requirements',\n",
       " 'x_mitre_defense_bypassed',\n",
       " 'x_mitre_impact_type',\n",
       " 'x_mitre_remote_support',\n",
       " 'x_mitre_effective_permissions',\n",
       " 'x_mitre_network_requirements',\n",
       " 'x_mitre_detectable_by_common_defenses',\n",
       " 'x_mitre_difficulty_for_adversary_explanation',\n",
       " 'x_mitre_old_attack_id',\n",
       " 'x_mitre_difficulty_for_adversary',\n",
       " 'x_mitre_detectable_by_common_defenses_explanation',\n",
       " 'x_mitre_deprecated',\n",
       " 'x_mitre_tactic_type',\n",
       " 'revoked']"
      ]
     },
     "execution_count": 12,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing one technique example**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 13,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "{'external_references': [{'external_id': 'T1500',\n",
       "   'source_name': 'mitre-attack',\n",
       "   'url': 'https://attack.mitre.org/techniques/T1500'},\n",
       "  {'url': 'https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf',\n",
       "   'source_name': 'ClearSky MuddyWater Nov 2018',\n",
       "   'description': 'ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.'},\n",
       "  {'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/',\n",
       "   'source_name': 'TrendMicro WindowsAppMac',\n",
       "   'description': 'Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019.'}],\n",
       " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
       " 'type': 'attack-pattern',\n",
       " 'modified': '2019-04-29T21:13:49.686Z',\n",
       " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
       " 'kill_chain_phases': [{'phase_name': 'defense-evasion',\n",
       "   'kill_chain_name': 'mitre-attack'}],\n",
       " 'id': 'attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120027925',\n",
       " 'name': 'Compile After Delivery',\n",
       " 'created': '2019-04-25T20:53:07.719Z',\n",
       " 'description': 'Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\\n\\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)\\n',\n",
       " 'x_mitre_contributors': ['Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank',\n",
       "  'Praetorian'],\n",
       " 'x_mitre_permissions_required': ['User'],\n",
       " 'x_mitre_data_sources': ['Process command-line parameters',\n",
       "  'Process monitoring',\n",
       "  'File monitoring'],\n",
       " 'x_mitre_detection': 'Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these should only be used in specific and limited cases, like for software development.',\n",
       " 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],\n",
       " 'x_mitre_version': '1.0',\n",
       " 'x_mitre_system_requirements': ['Compiler software (either native to the system or delivered by the adversary)'],\n",
       " 'x_mitre_defense_bypassed': ['Static File Analysis',\n",
       "  'Binary Analysis',\n",
       "  'Anti-virus',\n",
       "  'Host intrusion prevention systems',\n",
       "  'Signature-based detection']}"
      ]
     },
     "execution_count": 13,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mitigations from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 14,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Mitigations in ATT&CK\n",
      "295\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Mitigations in ATT&CK\")\n",
    "print(len(all_attack['mitigations']))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "* Remember, we need to transform our results to dictionaries to be able to use them as pandas dataframes"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 15,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>name</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>This category is to associate techniques that ...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Do Not Mitigate</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--787fb64d-c87b-4ee5-a341-0ef1...</td>\n",
       "      <td>[{'external_id': 'M1055', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-23T14:44:24.727Z</td>\n",
       "      <td>2019-07-19T14:58:42.715Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Implement configuration changes to software (o...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Software Configuration</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...</td>\n",
       "      <td>[{'external_id': 'M1054', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-19T14:57:15.656Z</td>\n",
       "      <td>2019-07-19T14:40:23.529Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Take and store data backups from end user syst...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Data Backup</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...</td>\n",
       "      <td>[{'external_id': 'M1053', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-19T14:33:33.543Z</td>\n",
       "      <td>2019-07-19T14:33:33.543Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Configure Windows User Account Control to miti...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>User Account Control</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--2c2ad92a-d710-41ab-a996-1db1...</td>\n",
       "      <td>[{'external_id': 'M1052', 'source_name': 'mitr...</td>\n",
       "      <td>2019-06-11T17:14:35.170Z</td>\n",
       "      <td>2019-06-11T17:14:35.170Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description              type  \\\n",
       "0  This category is to associate techniques that ...  course-of-action   \n",
       "1  Implement configuration changes to software (o...  course-of-action   \n",
       "2  Take and store data backups from end user syst...  course-of-action   \n",
       "3  Configure Windows User Account Control to miti...  course-of-action   \n",
       "\n",
       "                     name                                object_marking_refs  \\\n",
       "0         Do Not Mitigate  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  Software Configuration  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2             Data Backup  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3    User Account Control  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  course-of-action--787fb64d-c87b-4ee5-a341-0ef1...   \n",
       "1  course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...   \n",
       "2  course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...   \n",
       "3  course-of-action--2c2ad92a-d710-41ab-a996-1db1...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'M1055', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'M1054', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'M1053', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'M1052', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2019-07-23T14:44:24.727Z  2019-07-19T14:58:42.715Z             1.0   \n",
       "1  2019-07-19T14:57:15.656Z  2019-07-19T14:40:23.529Z             1.0   \n",
       "2  2019-07-19T14:33:33.543Z  2019-07-19T14:33:33.543Z             1.0   \n",
       "3  2019-06-11T17:14:35.170Z  2019-06-11T17:14:35.170Z             1.0   \n",
       "\n",
       "  x_mitre_deprecated x_mitre_old_attack_id  \n",
       "0                NaN                   NaN  \n",
       "1                NaN                   NaN  \n",
       "2                NaN                   NaN  \n",
       "3                NaN                   NaN  "
      ]
     },
     "execution_count": 15,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mitigations = []\n",
    "for t in all_attack['mitigations']:\n",
    "    mitigations.append(json.loads(t.serialize()))\n",
    "df = json_normalize(mitigations)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 16,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['created_by_ref',\n",
       " 'description',\n",
       " 'type',\n",
       " 'name',\n",
       " 'object_marking_refs',\n",
       " 'id',\n",
       " 'external_references',\n",
       " 'modified',\n",
       " 'created',\n",
       " 'x_mitre_version',\n",
       " 'x_mitre_deprecated',\n",
       " 'x_mitre_old_attack_id']"
      ]
     },
     "execution_count": 16,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Groups from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 17,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in ATT&CK\n",
      "93\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in ATT&CK\")\n",
    "print(len(all_attack['groups']))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "* Once again, we need to transform our results to dictionaries to be able to use them as pandas dataframes"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 18,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>aliases</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>name</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>revoked</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Operation [Soft Cell](https://attack.mitre.org...</td>\n",
       "      <td>[Soft Cell]</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>[{'external_id': 'G0093', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-22T15:49:28.637Z</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>2019-07-18T20:47:50.050Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>Soft Cell</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Cybereason Nocturnus, @nocturnus]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[TA505](https://attack.mitre.org/groups/G0092)...</td>\n",
       "      <td>[TA505]</td>\n",
       "      <td>intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb...</td>\n",
       "      <td>[{'external_id': 'G0092', 'source_name': 'mitr...</td>\n",
       "      <td>2019-06-24T19:11:41.060Z</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>2019-05-28T15:54:17.213Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>TA505</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Silence](https://attack.mitre.org/groups/G009...</td>\n",
       "      <td>[Silence]</td>\n",
       "      <td>intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb...</td>\n",
       "      <td>[{'external_id': 'G0091', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-16T16:12:09.085Z</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>2019-05-24T17:57:36.491Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>Silence</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Oleg Skulkin, Group-IB]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[WIRTE](https://attack.mitre.org/groups/G0090)...</td>\n",
       "      <td>[WIRTE]</td>\n",
       "      <td>intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3...</td>\n",
       "      <td>[{'external_id': 'G0090', 'source_name': 'mitr...</td>\n",
       "      <td>2019-06-20T15:30:38.517Z</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>2019-05-24T17:02:44.226Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>WIRTE</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Lab52 by S2 Grupo]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description      aliases  \\\n",
       "0  Operation [Soft Cell](https://attack.mitre.org...  [Soft Cell]   \n",
       "1  [TA505](https://attack.mitre.org/groups/G0092)...      [TA505]   \n",
       "2  [Silence](https://attack.mitre.org/groups/G009...    [Silence]   \n",
       "3  [WIRTE](https://attack.mitre.org/groups/G0090)...      [WIRTE]   \n",
       "\n",
       "                                                  id  \\\n",
       "0  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...   \n",
       "1  intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb...   \n",
       "2  intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb...   \n",
       "3  intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'G0093', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'G0092', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'G0091', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'G0090', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified           type                   created  \\\n",
       "0  2019-07-22T15:49:28.637Z  intrusion-set  2019-07-18T20:47:50.050Z   \n",
       "1  2019-06-24T19:11:41.060Z  intrusion-set  2019-05-28T15:54:17.213Z   \n",
       "2  2019-07-16T16:12:09.085Z  intrusion-set  2019-05-24T17:57:36.491Z   \n",
       "3  2019-06-20T15:30:38.517Z  intrusion-set  2019-05-24T17:02:44.226Z   \n",
       "\n",
       "                                 object_marking_refs       name  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...  Soft Cell   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...      TA505   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...    Silence   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...      WIRTE   \n",
       "\n",
       "  x_mitre_version                x_mitre_contributors revoked  \n",
       "0             1.0  [Cybereason Nocturnus, @nocturnus]     NaN  \n",
       "1             1.0                                 NaN     NaN  \n",
       "2             1.0            [Oleg Skulkin, Group-IB]     NaN  \n",
       "3             1.0                 [Lab52 by S2 Grupo]     NaN  "
      ]
     },
     "execution_count": 18,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups = []\n",
    "for t in all_attack['groups']:\n",
    "    groups.append(json.loads(t.serialize()))\n",
    "df = json_normalize(groups)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Groups**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 19,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['created_by_ref',\n",
       " 'description',\n",
       " 'aliases',\n",
       " 'id',\n",
       " 'external_references',\n",
       " 'modified',\n",
       " 'type',\n",
       " 'created',\n",
       " 'object_marking_refs',\n",
       " 'name',\n",
       " 'x_mitre_version',\n",
       " 'x_mitre_contributors',\n",
       " 'revoked']"
      ]
     },
     "execution_count": 19,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing one Groups example**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 20,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
       " 'description': 'Operation [Soft Cell](https://attack.mitre.org/groups/G0093) is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.(Citation: Cybereason Soft Cell June 2019)',\n",
       " 'aliases': ['Soft Cell'],\n",
       " 'id': 'intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258',\n",
       " 'external_references': [{'external_id': 'G0093',\n",
       "   'source_name': 'mitre-attack',\n",
       "   'url': 'https://attack.mitre.org/groups/G0093'},\n",
       "  {'source_name': 'Soft Cell',\n",
       "   'description': '(Citation: Cybereason Soft Cell June 2019)'},\n",
       "  {'source_name': 'Cybereason Soft Cell June 2019',\n",
       "   'description': 'Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.',\n",
       "   'url': 'https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers'}],\n",
       " 'modified': '2019-07-22T15:49:28.637Z',\n",
       " 'type': 'intrusion-set',\n",
       " 'created': '2019-07-18T20:47:50.050Z',\n",
       " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
       " 'name': 'Soft Cell',\n",
       " 'x_mitre_version': '1.0',\n",
       " 'x_mitre_contributors': ['Cybereason Nocturnus, @nocturnus']}"
      ]
     },
     "execution_count": 20,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Malware objects from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 21,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Malware in ATT&CK\n",
      "341\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Malware in ATT&CK\")\n",
    "print(len(all_attack['malware']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 22,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>modified</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>name</th>\n",
       "      <th>labels</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>revoked</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[HyperBro ](https://attack.mitre.org/software/...</td>\n",
       "      <td>malware--5e814485-012d-423d-b769-026bfed0f451</td>\n",
       "      <td>[{'external_id': 'S0398', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-14T21:14:18.656Z</td>\n",
       "      <td>malware</td>\n",
       "      <td>2019-07-09T17:42:44.777Z</td>\n",
       "      <td>HyperBro</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[HyperBro ]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[LoJax](https://attack.mitre.org/software/S039...</td>\n",
       "      <td>malware--b865dded-0553-4962-a44b-6fe7863effed</td>\n",
       "      <td>[{'external_id': 'S0397', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-02T20:53:26.470Z</td>\n",
       "      <td>malware</td>\n",
       "      <td>2019-07-02T12:58:09.598Z</td>\n",
       "      <td>LoJax</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[LoJax]</td>\n",
       "      <td>[Jean-Ian Boutin, ESET]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[EvilBunny](https://attack.mitre.org/software/...</td>\n",
       "      <td>malware--a8a778f5-0035-4870-bb25-53dc05029586</td>\n",
       "      <td>[{'external_id': 'S0396', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-01T18:16:32.917Z</td>\n",
       "      <td>malware</td>\n",
       "      <td>2019-06-28T17:40:32.217Z</td>\n",
       "      <td>EvilBunny</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[EvilBunny]</td>\n",
       "      <td>[ESET]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[LightNeuron](https://attack.mitre.org/softwar...</td>\n",
       "      <td>malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb</td>\n",
       "      <td>[{'external_id': 'S0395', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-16T17:12:00.360Z</td>\n",
       "      <td>malware</td>\n",
       "      <td>2019-06-28T13:09:26.710Z</td>\n",
       "      <td>LightNeuron</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows, Linux]</td>\n",
       "      <td>[LightNeuron]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description  \\\n",
       "0  [HyperBro ](https://attack.mitre.org/software/...   \n",
       "1  [LoJax](https://attack.mitre.org/software/S039...   \n",
       "2  [EvilBunny](https://attack.mitre.org/software/...   \n",
       "3  [LightNeuron](https://attack.mitre.org/softwar...   \n",
       "\n",
       "                                              id  \\\n",
       "0  malware--5e814485-012d-423d-b769-026bfed0f451   \n",
       "1  malware--b865dded-0553-4962-a44b-6fe7863effed   \n",
       "2  malware--a8a778f5-0035-4870-bb25-53dc05029586   \n",
       "3  malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'S0398', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'S0397', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'S0396', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'S0395', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                   modified     type                   created         name  \\\n",
       "0  2019-07-14T21:14:18.656Z  malware  2019-07-09T17:42:44.777Z    HyperBro    \n",
       "1  2019-07-02T20:53:26.470Z  malware  2019-07-02T12:58:09.598Z        LoJax   \n",
       "2  2019-07-01T18:16:32.917Z  malware  2019-06-28T17:40:32.217Z    EvilBunny   \n",
       "3  2019-07-16T17:12:00.360Z  malware  2019-06-28T13:09:26.710Z  LightNeuron   \n",
       "\n",
       "      labels x_mitre_version x_mitre_platforms x_mitre_aliases  \\\n",
       "0  [malware]             1.0         [Windows]     [HyperBro ]   \n",
       "1  [malware]             1.0         [Windows]         [LoJax]   \n",
       "2  [malware]             1.0         [Windows]     [EvilBunny]   \n",
       "3  [malware]             1.0  [Windows, Linux]   [LightNeuron]   \n",
       "\n",
       "      x_mitre_contributors revoked x_mitre_old_attack_id  \n",
       "0                      NaN     NaN                   NaN  \n",
       "1  [Jean-Ian Boutin, ESET]     NaN                   NaN  \n",
       "2                   [ESET]     NaN                   NaN  \n",
       "3                      NaN     NaN                   NaN  "
      ]
     },
     "execution_count": 22,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "malware = []\n",
    "for t in all_attack['malware']:\n",
    "    malware.append(json.loads(t.serialize()))\n",
    "df = json_normalize(malware)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Malware**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 23,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['created_by_ref',\n",
       " 'description',\n",
       " 'id',\n",
       " 'external_references',\n",
       " 'object_marking_refs',\n",
       " 'modified',\n",
       " 'type',\n",
       " 'created',\n",
       " 'name',\n",
       " 'labels',\n",
       " 'x_mitre_version',\n",
       " 'x_mitre_platforms',\n",
       " 'x_mitre_aliases',\n",
       " 'x_mitre_contributors',\n",
       " 'revoked',\n",
       " 'x_mitre_old_attack_id']"
      ]
     },
     "execution_count": 23,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing one Malware example**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 24,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
       " 'description': '[HyperBro ](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)',\n",
       " 'id': 'malware--5e814485-012d-423d-b769-026bfed0f451',\n",
       " 'external_references': [{'external_id': 'S0398',\n",
       "   'source_name': 'mitre-attack',\n",
       "   'url': 'https://attack.mitre.org/software/S0398'},\n",
       "  {'source_name': 'HyperBro ',\n",
       "   'description': '(Citation: Unit42 Emissary Panda May 2019)'},\n",
       "  {'source_name': 'Unit42 Emissary Panda May 2019',\n",
       "   'description': 'Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.',\n",
       "   'url': 'https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/'},\n",
       "  {'source_name': 'Securelist LuckyMouse June 2018',\n",
       "   'description': 'Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.',\n",
       "   'url': 'https://securelist.com/luckymouse-hits-national-data-center/86083/'},\n",
       "  {'source_name': 'Hacker News LuckyMouse June 2018',\n",
       "   'description': 'Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.',\n",
       "   'url': 'https://thehackernews.com/2018/06/chinese-watering-hole-attack.html'}],\n",
       " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
       " 'modified': '2019-07-14T21:14:18.656Z',\n",
       " 'type': 'malware',\n",
       " 'created': '2019-07-09T17:42:44.777Z',\n",
       " 'name': 'HyperBro ',\n",
       " 'labels': ['malware'],\n",
       " 'x_mitre_version': '1.0',\n",
       " 'x_mitre_platforms': ['Windows'],\n",
       " 'x_mitre_aliases': ['HyperBro ']}"
      ]
     },
     "execution_count": 24,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "malware[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Tools from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 25,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Tools in ATT&CK\n",
      "57\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Tools in ATT&CK\")\n",
    "print(len(all_attack['tools']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 26,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>modified</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>name</th>\n",
       "      <th>labels</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[PoshC2](https://attack.mitre.org/software/S03...</td>\n",
       "      <td>tool--4b57c098-f043-4da2-83ef-7588a6d426bc</td>\n",
       "      <td>[{'external_id': 'S0378', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-04-23T18:29:12.005Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2019-04-23T12:31:58.125Z</td>\n",
       "      <td>PoshC2</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows, Linux, macOS]</td>\n",
       "      <td>[PoshC2]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[RawDisk](https://attack.mitre.org/software/S0...</td>\n",
       "      <td>tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079</td>\n",
       "      <td>[{'external_id': 'S0364', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-04-19T19:04:55.892Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2019-03-25T12:30:40.919Z</td>\n",
       "      <td>RawDisk</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[RawDisk]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Empire](https://attack.mitre.org/software/S03...</td>\n",
       "      <td>tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3</td>\n",
       "      <td>[{'external_id': 'S0363', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-06-24T17:15:43.818Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2019-03-11T14:13:40.648Z</td>\n",
       "      <td>Empire</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Linux, macOS, Windows]</td>\n",
       "      <td>[Empire, EmPyre, PowerShell Empire]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Expand](https://attack.mitre.org/software/S03...</td>\n",
       "      <td>tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973</td>\n",
       "      <td>[{'external_id': 'S0361', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-04-19T18:52:30.033Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2019-02-19T19:17:14.971Z</td>\n",
       "      <td>Expand</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[Expand]</td>\n",
       "      <td>[Matthew Demaske, Adaptforward]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description  \\\n",
       "0  [PoshC2](https://attack.mitre.org/software/S03...   \n",
       "1  [RawDisk](https://attack.mitre.org/software/S0...   \n",
       "2  [Empire](https://attack.mitre.org/software/S03...   \n",
       "3  [Expand](https://attack.mitre.org/software/S03...   \n",
       "\n",
       "                                           id  \\\n",
       "0  tool--4b57c098-f043-4da2-83ef-7588a6d426bc   \n",
       "1  tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079   \n",
       "2  tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3   \n",
       "3  tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'S0378', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'S0364', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'S0363', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'S0361', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                   modified  type                   created     name  labels  \\\n",
       "0  2019-04-23T18:29:12.005Z  tool  2019-04-23T12:31:58.125Z   PoshC2  [tool]   \n",
       "1  2019-04-19T19:04:55.892Z  tool  2019-03-25T12:30:40.919Z  RawDisk  [tool]   \n",
       "2  2019-06-24T17:15:43.818Z  tool  2019-03-11T14:13:40.648Z   Empire  [tool]   \n",
       "3  2019-04-19T18:52:30.033Z  tool  2019-02-19T19:17:14.971Z   Expand  [tool]   \n",
       "\n",
       "  x_mitre_version        x_mitre_platforms  \\\n",
       "0             1.0  [Windows, Linux, macOS]   \n",
       "1             1.0                [Windows]   \n",
       "2             1.0  [Linux, macOS, Windows]   \n",
       "3             1.0                [Windows]   \n",
       "\n",
       "                       x_mitre_aliases             x_mitre_contributors  \\\n",
       "0                             [PoshC2]                              NaN   \n",
       "1                            [RawDisk]                              NaN   \n",
       "2  [Empire, EmPyre, PowerShell Empire]                              NaN   \n",
       "3                             [Expand]  [Matthew Demaske, Adaptforward]   \n",
       "\n",
       "  x_mitre_old_attack_id  \n",
       "0                   NaN  \n",
       "1                   NaN  \n",
       "2                   NaN  \n",
       "3                   NaN  "
      ]
     },
     "execution_count": 26,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "tools = []\n",
    "for t in all_attack['tools']:\n",
    "    tools.append(json.loads(t.serialize()))\n",
    "df = json_normalize(tools)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Tools**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 27,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['created_by_ref',\n",
       " 'description',\n",
       " 'id',\n",
       " 'external_references',\n",
       " 'object_marking_refs',\n",
       " 'modified',\n",
       " 'type',\n",
       " 'created',\n",
       " 'name',\n",
       " 'labels',\n",
       " 'x_mitre_version',\n",
       " 'x_mitre_platforms',\n",
       " 'x_mitre_aliases',\n",
       " 'x_mitre_contributors',\n",
       " 'x_mitre_old_attack_id']"
      ]
     },
     "execution_count": 27,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing one Tool example**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 28,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
       " 'description': '[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1086). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)',\n",
       " 'id': 'tool--4b57c098-f043-4da2-83ef-7588a6d426bc',\n",
       " 'external_references': [{'external_id': 'S0378',\n",
       "   'source_name': 'mitre-attack',\n",
       "   'url': 'https://attack.mitre.org/software/S0378'},\n",
       "  {'source_name': 'GitHub PoshC2',\n",
       "   'description': 'Nettitude. (2016, June 8). PoshC2: Powershell C2 Server and Implants. Retrieved April 23, 2019.',\n",
       "   'url': 'https://github.com/nettitude/PoshC2'}],\n",
       " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
       " 'modified': '2019-04-23T18:29:12.005Z',\n",
       " 'type': 'tool',\n",
       " 'created': '2019-04-23T12:31:58.125Z',\n",
       " 'name': 'PoshC2',\n",
       " 'labels': ['tool'],\n",
       " 'x_mitre_version': '1.0',\n",
       " 'x_mitre_platforms': ['Windows', 'Linux', 'macOS'],\n",
       " 'x_mitre_aliases': ['PoshC2']}"
      ]
     },
     "execution_count": 28,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "tools[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Relationships from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 29,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in ATT&CK\n",
      "6067\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in ATT&CK\")\n",
    "print(len(all_attack['relationships']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 30,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:49:28.744Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--380743e5-616c-4524-96e6-d545e5b6...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:28.744Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--92d7da27-2d91-488e-a00c-059dc1...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:35:24.376Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--919f6143-eb8c-48cd-8741-118040c3...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:29.135Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--00d0b012-8a03-410e-95de-5826bf...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:35:24.363Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--ee4d1b24-603f-40df-8f21-3c053fba...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:29.090Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:35:24.351Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--38be247c-74b0-42f3-964e-5f23ef42...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:29.092Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description          type  \\\n",
       "0  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "1  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "2  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "3  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "\n",
       "                    created  \\\n",
       "0  2019-07-22T15:49:28.744Z   \n",
       "1  2019-07-22T15:35:24.376Z   \n",
       "2  2019-07-22T15:35:24.363Z   \n",
       "3  2019-07-22T15:35:24.351Z   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  relationship--380743e5-616c-4524-96e6-d545e5b6...   \n",
       "1  relationship--919f6143-eb8c-48cd-8741-118040c3...   \n",
       "2  relationship--ee4d1b24-603f-40df-8f21-3c053fba...   \n",
       "3  relationship--38be247c-74b0-42f3-964e-5f23ef42...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "1  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "2  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "3  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "\n",
       "                   modified  \\\n",
       "0  2019-07-22T15:49:28.744Z   \n",
       "1  2019-07-22T15:49:29.135Z   \n",
       "2  2019-07-22T15:49:29.090Z   \n",
       "3  2019-07-22T15:49:29.092Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "1  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "2  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "3  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "\n",
       "                                          target_ref  \n",
       "0  attack-pattern--92d7da27-2d91-488e-a00c-059dc1...  \n",
       "1  attack-pattern--00d0b012-8a03-410e-95de-5826bf...  \n",
       "2  attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd...  \n",
       "3  attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841...  "
      ]
     },
     "execution_count": 30,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relationships = []\n",
    "for t in all_attack['relationships']:\n",
    "    relationships.append(json.loads(t.serialize()))\n",
    "df = json_normalize(relationships)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Relationships**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 31,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['created_by_ref',\n",
       " 'description',\n",
       " 'type',\n",
       " 'created',\n",
       " 'object_marking_refs',\n",
       " 'id',\n",
       " 'external_references',\n",
       " 'modified',\n",
       " 'source_ref',\n",
       " 'relationship_type',\n",
       " 'target_ref']"
      ]
     },
     "execution_count": 31,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing one Relationship example**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 32,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
       " 'description': '[Soft Cell](https://attack.mitre.org/groups/G0093) used Web shells and [HTRAN](https://attack.mitre.org/software/S0040) for C2 as well as to exfiltrate data.',\n",
       " 'type': 'relationship',\n",
       " 'created': '2019-07-22T15:49:28.744Z',\n",
       " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
       " 'id': 'relationship--380743e5-616c-4524-96e6-d545e5b653ea',\n",
       " 'external_references': [{'source_name': 'Cybereason Soft Cell June 2019',\n",
       "   'description': 'Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.',\n",
       "   'url': 'https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers'}],\n",
       " 'modified': '2019-07-22T15:49:28.744Z',\n",
       " 'source_ref': 'intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258',\n",
       " 'relationship_type': 'uses',\n",
       " 'target_ref': 'attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d'}"
      ]
     },
     "execution_count": 32,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relationships[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Tactics from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 33,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Tactics in ATT&CK\n",
      "40\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Tactics in ATT&CK\")\n",
    "print(len(all_attack['tactics']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 34,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>name</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_shortname</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>The adversary is trying to manipulate, interru...</td>\n",
       "      <td>x-mitre-tactic</td>\n",
       "      <td>Impact</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>x-mitre-tactic--5569339b-94c2-49ee-afb3-222293...</td>\n",
       "      <td>[{'external_id': 'TA0040', 'source_name': 'mit...</td>\n",
       "      <td>2019-07-25T18:42:23.222Z</td>\n",
       "      <td>2019-03-14T18:44:44.639Z</td>\n",
       "      <td>impact</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>The adversary is trying to gather data of inte...</td>\n",
       "      <td>x-mitre-tactic</td>\n",
       "      <td>Collection</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d...</td>\n",
       "      <td>[{'external_id': 'TA0009', 'source_name': 'mit...</td>\n",
       "      <td>2019-07-19T17:44:53.176Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>collection</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>The adversary is trying to communicate with co...</td>\n",
       "      <td>x-mitre-tactic</td>\n",
       "      <td>Command and Control</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd1...</td>\n",
       "      <td>[{'external_id': 'TA0011', 'source_name': 'mit...</td>\n",
       "      <td>2019-07-19T17:45:30.644Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>command-and-control</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>The adversary is trying to steal account names...</td>\n",
       "      <td>x-mitre-tactic</td>\n",
       "      <td>Credential Access</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>x-mitre-tactic--2558fd61-8c75-4730-94c4-11926d...</td>\n",
       "      <td>[{'external_id': 'TA0006', 'source_name': 'mit...</td>\n",
       "      <td>2019-07-19T17:43:41.967Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>credential-access</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description            type  \\\n",
       "0  The adversary is trying to manipulate, interru...  x-mitre-tactic   \n",
       "1  The adversary is trying to gather data of inte...  x-mitre-tactic   \n",
       "2  The adversary is trying to communicate with co...  x-mitre-tactic   \n",
       "3  The adversary is trying to steal account names...  x-mitre-tactic   \n",
       "\n",
       "                  name                                object_marking_refs  \\\n",
       "0               Impact  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1           Collection  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  Command and Control  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3    Credential Access  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  x-mitre-tactic--5569339b-94c2-49ee-afb3-222293...   \n",
       "1  x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d...   \n",
       "2  x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd1...   \n",
       "3  x-mitre-tactic--2558fd61-8c75-4730-94c4-11926d...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'TA0040', 'source_name': 'mit...   \n",
       "1  [{'external_id': 'TA0009', 'source_name': 'mit...   \n",
       "2  [{'external_id': 'TA0011', 'source_name': 'mit...   \n",
       "3  [{'external_id': 'TA0006', 'source_name': 'mit...   \n",
       "\n",
       "                   modified                   created    x_mitre_shortname  \n",
       "0  2019-07-25T18:42:23.222Z  2019-03-14T18:44:44.639Z               impact  \n",
       "1  2019-07-19T17:44:53.176Z  2018-10-17T00:14:20.652Z           collection  \n",
       "2  2019-07-19T17:45:30.644Z  2018-10-17T00:14:20.652Z  command-and-control  \n",
       "3  2019-07-19T17:43:41.967Z  2018-10-17T00:14:20.652Z    credential-access  "
      ]
     },
     "execution_count": 34,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "df = json_normalize(all_attack['tactics'])\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Tactics**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 35,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['created_by_ref',\n",
       " 'description',\n",
       " 'type',\n",
       " 'name',\n",
       " 'object_marking_refs',\n",
       " 'id',\n",
       " 'external_references',\n",
       " 'modified',\n",
       " 'created',\n",
       " 'x_mitre_shortname']"
      ]
     },
     "execution_count": 35,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Matrices from ATT&CK Results (Locally)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 36,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Matrices in ATT&CK\n",
      "4\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Matrices in ATT&CK\")\n",
    "print(len(all_attack['matrix']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 37,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>name</th>\n",
       "      <th>created</th>\n",
       "      <th>modified</th>\n",
       "      <th>type</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>tactic_refs</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'external_id': 'enterprise-attack', 'source_...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a8...</td>\n",
       "      <td>Enterprise ATT&amp;CK</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>2019-04-16T21:39:18.247Z</td>\n",
       "      <td>x-mitre-matrix</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>The full ATT&amp;CK Matrix includes techniques spa...</td>\n",
       "      <td>[x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3be...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'external_id': 'pre-attack', 'source_name': ...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d38...</td>\n",
       "      <td>PRE-ATT&amp;CK</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>2018-11-06T19:05:34.143Z</td>\n",
       "      <td>x-mitre-matrix</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>The MITRE PRE-ATT&amp;CK Matrix™ is an overview of...</td>\n",
       "      <td>[x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'external_id': 'mobile-attack', 'source_name...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd...</td>\n",
       "      <td>Network-Based Effects</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>x-mitre-matrix</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>The MITRE ATT&amp;CK Matrix™ provides a visual rep...</td>\n",
       "      <td>[x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc4...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'external_id': 'mobile-attack', 'source_name...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff0...</td>\n",
       "      <td>Device Access</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>x-mitre-matrix</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>The MITRE ATT&amp;CK Matrix™ provides a visual rep...</td>\n",
       "      <td>[x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'external_id': 'enterprise-attack', 'source_...   \n",
       "1  [{'external_id': 'pre-attack', 'source_name': ...   \n",
       "2  [{'external_id': 'mobile-attack', 'source_name...   \n",
       "3  [{'external_id': 'mobile-attack', 'source_name...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id                   name  \\\n",
       "0  x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a8...      Enterprise ATT&CK   \n",
       "1  x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d38...             PRE-ATT&CK   \n",
       "2  x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd...  Network-Based Effects   \n",
       "3  x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff0...          Device Access   \n",
       "\n",
       "                    created                  modified            type  \\\n",
       "0  2018-10-17T00:14:20.652Z  2019-04-16T21:39:18.247Z  x-mitre-matrix   \n",
       "1  2018-10-17T00:14:20.652Z  2018-11-06T19:05:34.143Z  x-mitre-matrix   \n",
       "2  2018-10-17T00:14:20.652Z  2018-10-17T00:14:20.652Z  x-mitre-matrix   \n",
       "3  2018-10-17T00:14:20.652Z  2018-10-17T00:14:20.652Z  x-mitre-matrix   \n",
       "\n",
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description  \\\n",
       "0  The full ATT&CK Matrix includes techniques spa...   \n",
       "1  The MITRE PRE-ATT&CK Matrix™ is an overview of...   \n",
       "2  The MITRE ATT&CK Matrix™ provides a visual rep...   \n",
       "3  The MITRE ATT&CK Matrix™ provides a visual rep...   \n",
       "\n",
       "                                         tactic_refs  \n",
       "0  [x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3be...  \n",
       "1  [x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1...  \n",
       "2  [x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc4...  \n",
       "3  [x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290...  "
      ]
     },
     "execution_count": 37,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "df = json_normalize(all_attack['matrix'])\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Showing the schema of Tactics**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 38,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['external_references',\n",
       " 'object_marking_refs',\n",
       " 'id',\n",
       " 'name',\n",
       " 'created',\n",
       " 'modified',\n",
       " 'type',\n",
       " 'created_by_ref',\n",
       " 'description',\n",
       " 'tactic_refs']"
      ]
     },
     "execution_count": 38,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "list(df)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Enterprise ATT&CK ONLY from Results (Locally)\n",
    "* We can also grab the results from each get_* function that we run earlier, and start getting specific stix object types such as techniques, mitigations, groups, malware, tools and relationships on each specific matrix.\n",
    "* It is important to remember that the stix objec information is being retrieved from the results of the initial three **get_*** functions and not querying the TAXII Server every time we want to get information about a specific stix object type."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Enterprise Techniques**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 39,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in Enterprise ATT&CK\n",
      "244\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in Enterprise ATT&CK\")\n",
    "print(len(all_enterprise['techniques']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 40,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>id</th>\n",
       "      <th>name</th>\n",
       "      <th>created</th>\n",
       "      <th>description</th>\n",
       "      <th>...</th>\n",
       "      <th>x_mitre_data_sources</th>\n",
       "      <th>x_mitre_detection</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_system_requirements</th>\n",
       "      <th>x_mitre_defense_bypassed</th>\n",
       "      <th>x_mitre_impact_type</th>\n",
       "      <th>x_mitre_remote_support</th>\n",
       "      <th>x_mitre_effective_permissions</th>\n",
       "      <th>x_mitre_network_requirements</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'external_id': 'T1500', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>2019-04-29T21:13:49.686Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'defense-evasion', 'kill_chain...</td>\n",
       "      <td>attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120...</td>\n",
       "      <td>Compile After Delivery</td>\n",
       "      <td>2019-04-25T20:53:07.719Z</td>\n",
       "      <td>Adversaries may attempt to make payloads diffi...</td>\n",
       "      <td>...</td>\n",
       "      <td>[Process command-line parameters, Process moni...</td>\n",
       "      <td>Monitor the execution file paths and command-l...</td>\n",
       "      <td>[Linux, macOS, Windows]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Compiler software (either native to the syste...</td>\n",
       "      <td>[Static File Analysis, Binary Analysis, Anti-v...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'external_id': 'T1501', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>2019-04-29T14:14:08.450Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'persistence', 'kill_chain_nam...</td>\n",
       "      <td>attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303...</td>\n",
       "      <td>Systemd Service</td>\n",
       "      <td>2019-04-23T15:34:30.008Z</td>\n",
       "      <td>Systemd services can be used to establish pers...</td>\n",
       "      <td>...</td>\n",
       "      <td>[Process command-line parameters, Process moni...</td>\n",
       "      <td>Systemd service unit files may be detected by ...</td>\n",
       "      <td>[Linux]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'external_id': 'T1499', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>2019-04-29T13:20:36.795Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'impact', 'kill_chain_name': '...</td>\n",
       "      <td>attack-pattern--c675646d-e204-4aa8-978d-e3d6d6...</td>\n",
       "      <td>Endpoint Denial of Service</td>\n",
       "      <td>2019-04-18T11:00:55.862Z</td>\n",
       "      <td>Adversaries may perform Endpoint Denial of Ser...</td>\n",
       "      <td>...</td>\n",
       "      <td>[SSL/TLS inspection, Web logs, Web application...</td>\n",
       "      <td>Detection of Endpoint DoS can sometimes be ach...</td>\n",
       "      <td>[Linux, macOS, Windows]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>[Availability]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'external_id': 'T1497', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>2019-06-10T17:37:37.138Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'defense-evasion', 'kill_chain...</td>\n",
       "      <td>attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f...</td>\n",
       "      <td>Virtualization/Sandbox Evasion</td>\n",
       "      <td>2019-04-17T22:22:24.505Z</td>\n",
       "      <td>Adversaries may check for the presence of a vi...</td>\n",
       "      <td>...</td>\n",
       "      <td>[Process monitoring, Process command-line para...</td>\n",
       "      <td>Virtualization, sandbox, and related discovery...</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>[Anti-virus, Host forensic analysis, Signature...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>4 rows × 22 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'external_id': 'T1500', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'T1501', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'T1499', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'T1497', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs            type  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "\n",
       "                   modified                                  created_by_ref  \\\n",
       "0  2019-04-29T21:13:49.686Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  2019-04-29T14:14:08.450Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  2019-04-29T13:20:36.795Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  2019-06-10T17:37:37.138Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'phase_name': 'defense-evasion', 'kill_chain...   \n",
       "1  [{'phase_name': 'persistence', 'kill_chain_nam...   \n",
       "2  [{'phase_name': 'impact', 'kill_chain_name': '...   \n",
       "3  [{'phase_name': 'defense-evasion', 'kill_chain...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120...   \n",
       "1  attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303...   \n",
       "2  attack-pattern--c675646d-e204-4aa8-978d-e3d6d6...   \n",
       "3  attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f...   \n",
       "\n",
       "                             name                   created  \\\n",
       "0          Compile After Delivery  2019-04-25T20:53:07.719Z   \n",
       "1                 Systemd Service  2019-04-23T15:34:30.008Z   \n",
       "2      Endpoint Denial of Service  2019-04-18T11:00:55.862Z   \n",
       "3  Virtualization/Sandbox Evasion  2019-04-17T22:22:24.505Z   \n",
       "\n",
       "                                         description  ...  \\\n",
       "0  Adversaries may attempt to make payloads diffi...  ...   \n",
       "1  Systemd services can be used to establish pers...  ...   \n",
       "2  Adversaries may perform Endpoint Denial of Ser...  ...   \n",
       "3  Adversaries may check for the presence of a vi...  ...   \n",
       "\n",
       "                                x_mitre_data_sources  \\\n",
       "0  [Process command-line parameters, Process moni...   \n",
       "1  [Process command-line parameters, Process moni...   \n",
       "2  [SSL/TLS inspection, Web logs, Web application...   \n",
       "3  [Process monitoring, Process command-line para...   \n",
       "\n",
       "                                   x_mitre_detection        x_mitre_platforms  \\\n",
       "0  Monitor the execution file paths and command-l...  [Linux, macOS, Windows]   \n",
       "1  Systemd service unit files may be detected by ...                  [Linux]   \n",
       "2  Detection of Endpoint DoS can sometimes be ach...  [Linux, macOS, Windows]   \n",
       "3  Virtualization, sandbox, and related discovery...                [Windows]   \n",
       "\n",
       "  x_mitre_version                        x_mitre_system_requirements  \\\n",
       "0             1.0  [Compiler software (either native to the syste...   \n",
       "1             1.0                                                NaN   \n",
       "2             1.0                                                NaN   \n",
       "3             1.0                                                NaN   \n",
       "\n",
       "                            x_mitre_defense_bypassed x_mitre_impact_type  \\\n",
       "0  [Static File Analysis, Binary Analysis, Anti-v...                 NaN   \n",
       "1                                                NaN                 NaN   \n",
       "2                                                NaN      [Availability]   \n",
       "3  [Anti-virus, Host forensic analysis, Signature...                 NaN   \n",
       "\n",
       "  x_mitre_remote_support x_mitre_effective_permissions  \\\n",
       "0                    NaN                           NaN   \n",
       "1                    NaN                           NaN   \n",
       "2                    NaN                           NaN   \n",
       "3                    NaN                           NaN   \n",
       "\n",
       "  x_mitre_network_requirements  \n",
       "0                          NaN  \n",
       "1                          NaN  \n",
       "2                          NaN  \n",
       "3                          NaN  \n",
       "\n",
       "[4 rows x 22 columns]"
      ]
     },
     "execution_count": 40,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques = []\n",
    "for t in all_enterprise['techniques']:\n",
    "    techniques.append(json.loads(t.serialize()))\n",
    "df = json_normalize(techniques)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Enterprise Mitigations**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 41,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Mitigations in Enterprise ATT&CK\n",
      "281\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Mitigations in Enterprise ATT&CK\")\n",
    "print(len(all_enterprise['mitigations']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 42,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>name</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>This category is to associate techniques that ...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Do Not Mitigate</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--787fb64d-c87b-4ee5-a341-0ef1...</td>\n",
       "      <td>[{'external_id': 'M1055', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-23T14:44:24.727Z</td>\n",
       "      <td>2019-07-19T14:58:42.715Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Implement configuration changes to software (o...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Software Configuration</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...</td>\n",
       "      <td>[{'external_id': 'M1054', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-19T14:57:15.656Z</td>\n",
       "      <td>2019-07-19T14:40:23.529Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Take and store data backups from end user syst...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Data Backup</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...</td>\n",
       "      <td>[{'external_id': 'M1053', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-19T14:33:33.543Z</td>\n",
       "      <td>2019-07-19T14:33:33.543Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Configure Windows User Account Control to miti...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>User Account Control</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--2c2ad92a-d710-41ab-a996-1db1...</td>\n",
       "      <td>[{'external_id': 'M1052', 'source_name': 'mitr...</td>\n",
       "      <td>2019-06-11T17:14:35.170Z</td>\n",
       "      <td>2019-06-11T17:14:35.170Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Perform regular software updates to mitigate e...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Update Software</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--e5d930e9-775a-40ad-9bdb-b941...</td>\n",
       "      <td>[{'external_id': 'M1051', 'source_name': 'mitr...</td>\n",
       "      <td>2019-06-11T17:12:55.207Z</td>\n",
       "      <td>2019-06-11T17:12:55.207Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "4  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description              type  \\\n",
       "0  This category is to associate techniques that ...  course-of-action   \n",
       "1  Implement configuration changes to software (o...  course-of-action   \n",
       "2  Take and store data backups from end user syst...  course-of-action   \n",
       "3  Configure Windows User Account Control to miti...  course-of-action   \n",
       "4  Perform regular software updates to mitigate e...  course-of-action   \n",
       "\n",
       "                     name                                object_marking_refs  \\\n",
       "0         Do Not Mitigate  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  Software Configuration  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2             Data Backup  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3    User Account Control  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "4         Update Software  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  course-of-action--787fb64d-c87b-4ee5-a341-0ef1...   \n",
       "1  course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...   \n",
       "2  course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...   \n",
       "3  course-of-action--2c2ad92a-d710-41ab-a996-1db1...   \n",
       "4  course-of-action--e5d930e9-775a-40ad-9bdb-b941...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'M1055', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'M1054', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'M1053', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'M1052', 'source_name': 'mitr...   \n",
       "4  [{'external_id': 'M1051', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2019-07-23T14:44:24.727Z  2019-07-19T14:58:42.715Z             1.0   \n",
       "1  2019-07-19T14:57:15.656Z  2019-07-19T14:40:23.529Z             1.0   \n",
       "2  2019-07-19T14:33:33.543Z  2019-07-19T14:33:33.543Z             1.0   \n",
       "3  2019-06-11T17:14:35.170Z  2019-06-11T17:14:35.170Z             1.0   \n",
       "4  2019-06-11T17:12:55.207Z  2019-06-11T17:12:55.207Z             1.0   \n",
       "\n",
       "  x_mitre_deprecated  \n",
       "0                NaN  \n",
       "1                NaN  \n",
       "2                NaN  \n",
       "3                NaN  \n",
       "4                NaN  "
      ]
     },
     "execution_count": 42,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mitigations = []\n",
    "for t in all_enterprise['mitigations']:\n",
    "    mitigations.append(json.loads(t.serialize()))\n",
    "df = json_normalize(mitigations)\n",
    "df[0:5]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Enterprise Groups**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 43,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in Enterprise ATT&CK\n",
      "93\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in Enterprise ATT&CK\")\n",
    "print(len(all_enterprise['groups']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 44,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>aliases</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>name</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>revoked</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Operation [Soft Cell](https://attack.mitre.org...</td>\n",
       "      <td>[Soft Cell]</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>[{'external_id': 'G0093', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-22T15:49:28.637Z</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>2019-07-18T20:47:50.050Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>Soft Cell</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Cybereason Nocturnus, @nocturnus]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[TA505](https://attack.mitre.org/groups/G0092)...</td>\n",
       "      <td>[TA505]</td>\n",
       "      <td>intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb...</td>\n",
       "      <td>[{'external_id': 'G0092', 'source_name': 'mitr...</td>\n",
       "      <td>2019-06-24T19:11:41.060Z</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>2019-05-28T15:54:17.213Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>TA505</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Silence](https://attack.mitre.org/groups/G009...</td>\n",
       "      <td>[Silence]</td>\n",
       "      <td>intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb...</td>\n",
       "      <td>[{'external_id': 'G0091', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-16T16:12:09.085Z</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>2019-05-24T17:57:36.491Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>Silence</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Oleg Skulkin, Group-IB]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[WIRTE](https://attack.mitre.org/groups/G0090)...</td>\n",
       "      <td>[WIRTE]</td>\n",
       "      <td>intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3...</td>\n",
       "      <td>[{'external_id': 'G0090', 'source_name': 'mitr...</td>\n",
       "      <td>2019-06-20T15:30:38.517Z</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>2019-05-24T17:02:44.226Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>WIRTE</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Lab52 by S2 Grupo]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description      aliases  \\\n",
       "0  Operation [Soft Cell](https://attack.mitre.org...  [Soft Cell]   \n",
       "1  [TA505](https://attack.mitre.org/groups/G0092)...      [TA505]   \n",
       "2  [Silence](https://attack.mitre.org/groups/G009...    [Silence]   \n",
       "3  [WIRTE](https://attack.mitre.org/groups/G0090)...      [WIRTE]   \n",
       "\n",
       "                                                  id  \\\n",
       "0  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...   \n",
       "1  intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb...   \n",
       "2  intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb...   \n",
       "3  intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'G0093', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'G0092', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'G0091', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'G0090', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified           type                   created  \\\n",
       "0  2019-07-22T15:49:28.637Z  intrusion-set  2019-07-18T20:47:50.050Z   \n",
       "1  2019-06-24T19:11:41.060Z  intrusion-set  2019-05-28T15:54:17.213Z   \n",
       "2  2019-07-16T16:12:09.085Z  intrusion-set  2019-05-24T17:57:36.491Z   \n",
       "3  2019-06-20T15:30:38.517Z  intrusion-set  2019-05-24T17:02:44.226Z   \n",
       "\n",
       "                                 object_marking_refs       name  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...  Soft Cell   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...      TA505   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...    Silence   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...      WIRTE   \n",
       "\n",
       "  x_mitre_version                x_mitre_contributors revoked  \n",
       "0             1.0  [Cybereason Nocturnus, @nocturnus]     NaN  \n",
       "1             1.0                                 NaN     NaN  \n",
       "2             1.0            [Oleg Skulkin, Group-IB]     NaN  \n",
       "3             1.0                 [Lab52 by S2 Grupo]     NaN  "
      ]
     },
     "execution_count": 44,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups = []\n",
    "for t in all_enterprise['groups']:\n",
    "    groups.append(json.loads(t.serialize()))\n",
    "df = json_normalize(groups)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Enterprise Malware**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 45,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Malware objects in Enterprise ATT&CK\n",
      "297\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Malware objects in Enterprise ATT&CK\")\n",
    "print(len(all_enterprise['malware']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 46,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>modified</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>name</th>\n",
       "      <th>labels</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>revoked</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[HyperBro ](https://attack.mitre.org/software/...</td>\n",
       "      <td>malware--5e814485-012d-423d-b769-026bfed0f451</td>\n",
       "      <td>[{'external_id': 'S0398', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-14T21:14:18.656Z</td>\n",
       "      <td>malware</td>\n",
       "      <td>2019-07-09T17:42:44.777Z</td>\n",
       "      <td>HyperBro</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[HyperBro ]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[LoJax](https://attack.mitre.org/software/S039...</td>\n",
       "      <td>malware--b865dded-0553-4962-a44b-6fe7863effed</td>\n",
       "      <td>[{'external_id': 'S0397', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-02T20:53:26.470Z</td>\n",
       "      <td>malware</td>\n",
       "      <td>2019-07-02T12:58:09.598Z</td>\n",
       "      <td>LoJax</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[LoJax]</td>\n",
       "      <td>[Jean-Ian Boutin, ESET]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[EvilBunny](https://attack.mitre.org/software/...</td>\n",
       "      <td>malware--a8a778f5-0035-4870-bb25-53dc05029586</td>\n",
       "      <td>[{'external_id': 'S0396', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-01T18:16:32.917Z</td>\n",
       "      <td>malware</td>\n",
       "      <td>2019-06-28T17:40:32.217Z</td>\n",
       "      <td>EvilBunny</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[EvilBunny]</td>\n",
       "      <td>[ESET]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[LightNeuron](https://attack.mitre.org/softwar...</td>\n",
       "      <td>malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb</td>\n",
       "      <td>[{'external_id': 'S0395', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-16T17:12:00.360Z</td>\n",
       "      <td>malware</td>\n",
       "      <td>2019-06-28T13:09:26.710Z</td>\n",
       "      <td>LightNeuron</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows, Linux]</td>\n",
       "      <td>[LightNeuron]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description  \\\n",
       "0  [HyperBro ](https://attack.mitre.org/software/...   \n",
       "1  [LoJax](https://attack.mitre.org/software/S039...   \n",
       "2  [EvilBunny](https://attack.mitre.org/software/...   \n",
       "3  [LightNeuron](https://attack.mitre.org/softwar...   \n",
       "\n",
       "                                              id  \\\n",
       "0  malware--5e814485-012d-423d-b769-026bfed0f451   \n",
       "1  malware--b865dded-0553-4962-a44b-6fe7863effed   \n",
       "2  malware--a8a778f5-0035-4870-bb25-53dc05029586   \n",
       "3  malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'S0398', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'S0397', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'S0396', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'S0395', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                   modified     type                   created         name  \\\n",
       "0  2019-07-14T21:14:18.656Z  malware  2019-07-09T17:42:44.777Z    HyperBro    \n",
       "1  2019-07-02T20:53:26.470Z  malware  2019-07-02T12:58:09.598Z        LoJax   \n",
       "2  2019-07-01T18:16:32.917Z  malware  2019-06-28T17:40:32.217Z    EvilBunny   \n",
       "3  2019-07-16T17:12:00.360Z  malware  2019-06-28T13:09:26.710Z  LightNeuron   \n",
       "\n",
       "      labels x_mitre_version x_mitre_platforms x_mitre_aliases  \\\n",
       "0  [malware]             1.0         [Windows]     [HyperBro ]   \n",
       "1  [malware]             1.0         [Windows]         [LoJax]   \n",
       "2  [malware]             1.0         [Windows]     [EvilBunny]   \n",
       "3  [malware]             1.0  [Windows, Linux]   [LightNeuron]   \n",
       "\n",
       "      x_mitre_contributors revoked x_mitre_old_attack_id  \n",
       "0                      NaN     NaN                   NaN  \n",
       "1  [Jean-Ian Boutin, ESET]     NaN                   NaN  \n",
       "2                   [ESET]     NaN                   NaN  \n",
       "3                      NaN     NaN                   NaN  "
      ]
     },
     "execution_count": 46,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "malware = []\n",
    "for t in all_enterprise['malware']:\n",
    "    malware.append(json.loads(t.serialize()))\n",
    "df = json_normalize(malware)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Enterprise Tools**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 47,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Tools in Enterprise ATT&CK\n",
      "56\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Tools in Enterprise ATT&CK\")\n",
    "print(len(all_enterprise['tools']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 48,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>modified</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>name</th>\n",
       "      <th>labels</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[PoshC2](https://attack.mitre.org/software/S03...</td>\n",
       "      <td>tool--4b57c098-f043-4da2-83ef-7588a6d426bc</td>\n",
       "      <td>[{'external_id': 'S0378', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-04-23T18:29:12.005Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2019-04-23T12:31:58.125Z</td>\n",
       "      <td>PoshC2</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows, Linux, macOS]</td>\n",
       "      <td>[PoshC2]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[RawDisk](https://attack.mitre.org/software/S0...</td>\n",
       "      <td>tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079</td>\n",
       "      <td>[{'external_id': 'S0364', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-04-19T19:04:55.892Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2019-03-25T12:30:40.919Z</td>\n",
       "      <td>RawDisk</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[RawDisk]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Empire](https://attack.mitre.org/software/S03...</td>\n",
       "      <td>tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3</td>\n",
       "      <td>[{'external_id': 'S0363', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-06-24T17:15:43.818Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2019-03-11T14:13:40.648Z</td>\n",
       "      <td>Empire</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Linux, macOS, Windows]</td>\n",
       "      <td>[Empire, EmPyre, PowerShell Empire]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Expand](https://attack.mitre.org/software/S03...</td>\n",
       "      <td>tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973</td>\n",
       "      <td>[{'external_id': 'S0361', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-04-19T18:52:30.033Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2019-02-19T19:17:14.971Z</td>\n",
       "      <td>Expand</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[Expand]</td>\n",
       "      <td>[Matthew Demaske, Adaptforward]</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description  \\\n",
       "0  [PoshC2](https://attack.mitre.org/software/S03...   \n",
       "1  [RawDisk](https://attack.mitre.org/software/S0...   \n",
       "2  [Empire](https://attack.mitre.org/software/S03...   \n",
       "3  [Expand](https://attack.mitre.org/software/S03...   \n",
       "\n",
       "                                           id  \\\n",
       "0  tool--4b57c098-f043-4da2-83ef-7588a6d426bc   \n",
       "1  tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079   \n",
       "2  tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3   \n",
       "3  tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'S0378', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'S0364', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'S0363', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'S0361', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                   modified  type                   created     name  labels  \\\n",
       "0  2019-04-23T18:29:12.005Z  tool  2019-04-23T12:31:58.125Z   PoshC2  [tool]   \n",
       "1  2019-04-19T19:04:55.892Z  tool  2019-03-25T12:30:40.919Z  RawDisk  [tool]   \n",
       "2  2019-06-24T17:15:43.818Z  tool  2019-03-11T14:13:40.648Z   Empire  [tool]   \n",
       "3  2019-04-19T18:52:30.033Z  tool  2019-02-19T19:17:14.971Z   Expand  [tool]   \n",
       "\n",
       "  x_mitre_version        x_mitre_platforms  \\\n",
       "0             1.0  [Windows, Linux, macOS]   \n",
       "1             1.0                [Windows]   \n",
       "2             1.0  [Linux, macOS, Windows]   \n",
       "3             1.0                [Windows]   \n",
       "\n",
       "                       x_mitre_aliases             x_mitre_contributors  \n",
       "0                             [PoshC2]                              NaN  \n",
       "1                            [RawDisk]                              NaN  \n",
       "2  [Empire, EmPyre, PowerShell Empire]                              NaN  \n",
       "3                             [Expand]  [Matthew Demaske, Adaptforward]  "
      ]
     },
     "execution_count": 48,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "tools = []\n",
    "for t in all_enterprise['tools']:\n",
    "    tools.append(json.loads(t.serialize()))\n",
    "df = json_normalize(tools)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Enterprise Relationships**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 49,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in Enterprise ATT&CK\n",
      "5675\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in Enterprise ATT&CK\")\n",
    "print(len(all_enterprise['relationships']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 50,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:49:28.744Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--380743e5-616c-4524-96e6-d545e5b6...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:28.744Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--92d7da27-2d91-488e-a00c-059dc1...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:35:24.376Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--919f6143-eb8c-48cd-8741-118040c3...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:29.135Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--00d0b012-8a03-410e-95de-5826bf...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:35:24.363Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--ee4d1b24-603f-40df-8f21-3c053fba...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:29.090Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:35:24.351Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--38be247c-74b0-42f3-964e-5f23ef42...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:29.092Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description          type  \\\n",
       "0  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "1  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "2  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "3  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "\n",
       "                    created  \\\n",
       "0  2019-07-22T15:49:28.744Z   \n",
       "1  2019-07-22T15:35:24.376Z   \n",
       "2  2019-07-22T15:35:24.363Z   \n",
       "3  2019-07-22T15:35:24.351Z   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  relationship--380743e5-616c-4524-96e6-d545e5b6...   \n",
       "1  relationship--919f6143-eb8c-48cd-8741-118040c3...   \n",
       "2  relationship--ee4d1b24-603f-40df-8f21-3c053fba...   \n",
       "3  relationship--38be247c-74b0-42f3-964e-5f23ef42...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "1  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "2  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "3  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "\n",
       "                   modified  \\\n",
       "0  2019-07-22T15:49:28.744Z   \n",
       "1  2019-07-22T15:49:29.135Z   \n",
       "2  2019-07-22T15:49:29.090Z   \n",
       "3  2019-07-22T15:49:29.092Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "1  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "2  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "3  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "\n",
       "                                          target_ref  \n",
       "0  attack-pattern--92d7da27-2d91-488e-a00c-059dc1...  \n",
       "1  attack-pattern--00d0b012-8a03-410e-95de-5826bf...  \n",
       "2  attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd...  \n",
       "3  attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841...  "
      ]
     },
     "execution_count": 50,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations = []\n",
    "for t in all_enterprise['relationships']:\n",
    "    relations.append(json.loads(t.serialize()))\n",
    "df = json_normalize(relations)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All PRE-ATT&CK ONLY from Results (Locally)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**PRE Techniques**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 51,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in PRE-ATT&CK\n",
      "174\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in PRE-ATT&CK\")\n",
    "print(len(all_pre['techniques']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 52,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>modified</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>id</th>\n",
       "      <th>name</th>\n",
       "      <th>created</th>\n",
       "      <th>type</th>\n",
       "      <th>description</th>\n",
       "      <th>x_mitre_detectable_by_common_defenses</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_difficulty_for_adversary_explanation</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>x_mitre_difficulty_for_adversary</th>\n",
       "      <th>x_mitre_detectable_by_common_defenses_explanation</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'technical-information-gatheri...</td>\n",
       "      <td>attack-pattern--b182f29c-2505-4b32-a000-0440ef...</td>\n",
       "      <td>Spearphishing for Information</td>\n",
       "      <td>2018-04-18T17:59:24.739Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>Spearphishing for information is a specific va...</td>\n",
       "      <td>Partial</td>\n",
       "      <td>1.0</td>\n",
       "      <td>Sending emails is trivial, and, over time, an ...</td>\n",
       "      <td>PRE-T1174</td>\n",
       "      <td>Yes</td>\n",
       "      <td>Depending on the specific method of phishing, ...</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'adversary-opsec', 'kill_chain...</td>\n",
       "      <td>attack-pattern--286cc500-4291-45c2-99a1-e760db...</td>\n",
       "      <td>Acquire and/or use 3rd party infrastructure se...</td>\n",
       "      <td>2017-12-14T16:46:06.044Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>A wide variety of cloud, virtual private servi...</td>\n",
       "      <td>No</td>\n",
       "      <td>1.0</td>\n",
       "      <td>Wide range of 3rd party services for hosting, ...</td>\n",
       "      <td>PRE-T1084</td>\n",
       "      <td>Yes</td>\n",
       "      <td>3rd party services highly leveraged by legitim...</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'people-information-gathering'...</td>\n",
       "      <td>attack-pattern--b3f36317-3940-4d71-968f-e11ac1...</td>\n",
       "      <td>Aggregate individual's digital footprint</td>\n",
       "      <td>2017-12-14T16:46:06.044Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>In addition to a target's social media presenc...</td>\n",
       "      <td>No</td>\n",
       "      <td>1.0</td>\n",
       "      <td>Information readily available through searches</td>\n",
       "      <td>PRE-T1052</td>\n",
       "      <td>Yes</td>\n",
       "      <td>Searching publicly available sources that cann...</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'technical-weakness-identifica...</td>\n",
       "      <td>attack-pattern--a1e8d61b-22e1-4983-8485-964201...</td>\n",
       "      <td>Analyze hardware/software security defensive c...</td>\n",
       "      <td>2017-12-14T16:46:06.044Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>An adversary can probe a victim's network to d...</td>\n",
       "      <td>No</td>\n",
       "      <td>1.0</td>\n",
       "      <td>Analyze network traffic to determine security ...</td>\n",
       "      <td>PRE-T1071</td>\n",
       "      <td>Yes</td>\n",
       "      <td>This can be done offline after the data has be...</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "1  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "2  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "3  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                   modified                                  created_by_ref  \\\n",
       "0  2018-10-17T00:14:20.652Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  2018-10-17T00:14:20.652Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  2018-10-17T00:14:20.652Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  2018-10-17T00:14:20.652Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'phase_name': 'technical-information-gatheri...   \n",
       "1  [{'phase_name': 'adversary-opsec', 'kill_chain...   \n",
       "2  [{'phase_name': 'people-information-gathering'...   \n",
       "3  [{'phase_name': 'technical-weakness-identifica...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  attack-pattern--b182f29c-2505-4b32-a000-0440ef...   \n",
       "1  attack-pattern--286cc500-4291-45c2-99a1-e760db...   \n",
       "2  attack-pattern--b3f36317-3940-4d71-968f-e11ac1...   \n",
       "3  attack-pattern--a1e8d61b-22e1-4983-8485-964201...   \n",
       "\n",
       "                                                name  \\\n",
       "0                      Spearphishing for Information   \n",
       "1  Acquire and/or use 3rd party infrastructure se...   \n",
       "2           Aggregate individual's digital footprint   \n",
       "3  Analyze hardware/software security defensive c...   \n",
       "\n",
       "                    created            type  \\\n",
       "0  2018-04-18T17:59:24.739Z  attack-pattern   \n",
       "1  2017-12-14T16:46:06.044Z  attack-pattern   \n",
       "2  2017-12-14T16:46:06.044Z  attack-pattern   \n",
       "3  2017-12-14T16:46:06.044Z  attack-pattern   \n",
       "\n",
       "                                         description  \\\n",
       "0  Spearphishing for information is a specific va...   \n",
       "1  A wide variety of cloud, virtual private servi...   \n",
       "2  In addition to a target's social media presenc...   \n",
       "3  An adversary can probe a victim's network to d...   \n",
       "\n",
       "  x_mitre_detectable_by_common_defenses x_mitre_version  \\\n",
       "0                               Partial             1.0   \n",
       "1                                    No             1.0   \n",
       "2                                    No             1.0   \n",
       "3                                    No             1.0   \n",
       "\n",
       "        x_mitre_difficulty_for_adversary_explanation x_mitre_old_attack_id  \\\n",
       "0  Sending emails is trivial, and, over time, an ...             PRE-T1174   \n",
       "1  Wide range of 3rd party services for hosting, ...             PRE-T1084   \n",
       "2     Information readily available through searches             PRE-T1052   \n",
       "3  Analyze network traffic to determine security ...             PRE-T1071   \n",
       "\n",
       "  x_mitre_difficulty_for_adversary  \\\n",
       "0                              Yes   \n",
       "1                              Yes   \n",
       "2                              Yes   \n",
       "3                              Yes   \n",
       "\n",
       "   x_mitre_detectable_by_common_defenses_explanation x_mitre_deprecated  \n",
       "0  Depending on the specific method of phishing, ...                NaN  \n",
       "1  3rd party services highly leveraged by legitim...                NaN  \n",
       "2  Searching publicly available sources that cann...                NaN  \n",
       "3  This can be done offline after the data has be...                NaN  "
      ]
     },
     "execution_count": 52,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques = []\n",
    "for t in all_pre['techniques']:\n",
    "    techniques.append(json.loads(t.serialize()))\n",
    "df = json_normalize(techniques)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**PRE Groups**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 53,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in PRE-ATT&CK\n",
      "7\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in PRE-ATT&CK\")\n",
    "print(len(all_pre['groups']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 54,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>aliases</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>TEMP.Veles</td>\n",
       "      <td>[TEMP.Veles](https://attack.mitre.org/groups/G...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>[TEMP.Veles, XENOTIME]</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...</td>\n",
       "      <td>[{'external_id': 'G0088', 'source_name': 'mitr...</td>\n",
       "      <td>2019-04-29T18:59:16.079Z</td>\n",
       "      <td>2019-04-16T15:14:38.533Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>APT17</td>\n",
       "      <td>[APT17](https://attack.mitre.org/groups/G0025)...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>[APT17, Deputy Dog]</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>intrusion-set--090242d7-73fc-4738-af68-20162f7...</td>\n",
       "      <td>[{'external_id': 'G0025', 'source_name': 'mitr...</td>\n",
       "      <td>2019-03-22T14:21:19.419Z</td>\n",
       "      <td>2017-05-31T21:31:57.307Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>APT16</td>\n",
       "      <td>[APT16](https://attack.mitre.org/groups/G0023)...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>[APT16]</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>intrusion-set--d6e88e18-81e8-4709-82d8-973095d...</td>\n",
       "      <td>[{'external_id': 'G0023', 'source_name': 'mitr...</td>\n",
       "      <td>2019-03-22T14:20:45.561Z</td>\n",
       "      <td>2017-05-31T21:31:56.270Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Night Dragon</td>\n",
       "      <td>[Night Dragon](https://attack.mitre.org/groups...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>[Night Dragon]</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e...</td>\n",
       "      <td>[{'external_id': 'G0014', 'source_name': 'mitr...</td>\n",
       "      <td>2019-03-25T14:36:29.638Z</td>\n",
       "      <td>2017-05-31T21:31:51.643Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref          name  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5    TEMP.Veles   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5         APT17   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5         APT16   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  Night Dragon   \n",
       "\n",
       "                                         description           type  \\\n",
       "0  [TEMP.Veles](https://attack.mitre.org/groups/G...  intrusion-set   \n",
       "1  [APT17](https://attack.mitre.org/groups/G0025)...  intrusion-set   \n",
       "2  [APT16](https://attack.mitre.org/groups/G0023)...  intrusion-set   \n",
       "3  [Night Dragon](https://attack.mitre.org/groups...  intrusion-set   \n",
       "\n",
       "                  aliases                                object_marking_refs  \\\n",
       "0  [TEMP.Veles, XENOTIME]  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1     [APT17, Deputy Dog]  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2                 [APT16]  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3          [Night Dragon]  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...   \n",
       "1  intrusion-set--090242d7-73fc-4738-af68-20162f7...   \n",
       "2  intrusion-set--d6e88e18-81e8-4709-82d8-973095d...   \n",
       "3  intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'G0088', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'G0025', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'G0023', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'G0014', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2019-04-29T18:59:16.079Z  2019-04-16T15:14:38.533Z             1.0   \n",
       "1  2019-03-22T14:21:19.419Z  2017-05-31T21:31:57.307Z             1.0   \n",
       "2  2019-03-22T14:20:45.561Z  2017-05-31T21:31:56.270Z             1.0   \n",
       "3  2019-03-25T14:36:29.638Z  2017-05-31T21:31:51.643Z             1.1   \n",
       "\n",
       "  x_mitre_contributors  \n",
       "0                  NaN  \n",
       "1                  NaN  \n",
       "2                  NaN  \n",
       "3                  NaN  "
      ]
     },
     "execution_count": 54,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups = []\n",
    "for t in all_pre['groups']:\n",
    "    groups.append(json.loads(t.serialize()))\n",
    "df = json_normalize(groups)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**PRE Relationships**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 55,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in PRE-ATT&CK\n",
      "70\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in PRE-ATT&CK\")\n",
    "print(len(all_pre['relationships']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 56,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[TEMP.Veles](https://attack.mitre.org/groups/G...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-04-24T19:45:44.212Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--21842707-0f15-43bf-bc42-2bceadf2...</td>\n",
       "      <td>[{'source_name': 'FireEye TRITON 2019', 'descr...</td>\n",
       "      <td>2019-04-29T18:59:16.596Z</td>\n",
       "      <td>intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--20a66013-8dab-4ca3-a67d-766c84...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[TEMP.Veles](https://attack.mitre.org/groups/G...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-04-24T19:45:44.205Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--2d95ed6f-52e7-4708-af15-9a6c0839...</td>\n",
       "      <td>[{'source_name': 'FireEye TRITON 2019', 'descr...</td>\n",
       "      <td>2019-04-29T18:59:16.595Z</td>\n",
       "      <td>intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--795c1a92-3a26-453e-b99a-6a566a...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>NaN</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-02-19T18:56:56.770Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--83379e43-4bc5-4c49-b0b3-f41161e8...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>2019-02-19T18:56:56.770Z</td>\n",
       "      <td>attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...</td>\n",
       "      <td>related-to</td>\n",
       "      <td>attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>NaN</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-02-19T18:56:56.136Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--1aafdefb-304e-4998-87cc-81aad295...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>2019-02-19T18:56:56.136Z</td>\n",
       "      <td>attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...</td>\n",
       "      <td>related-to</td>\n",
       "      <td>attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description          type  \\\n",
       "0  [TEMP.Veles](https://attack.mitre.org/groups/G...  relationship   \n",
       "1  [TEMP.Veles](https://attack.mitre.org/groups/G...  relationship   \n",
       "2                                                NaN  relationship   \n",
       "3                                                NaN  relationship   \n",
       "\n",
       "                    created  \\\n",
       "0  2019-04-24T19:45:44.212Z   \n",
       "1  2019-04-24T19:45:44.205Z   \n",
       "2  2019-02-19T18:56:56.770Z   \n",
       "3  2019-02-19T18:56:56.136Z   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  relationship--21842707-0f15-43bf-bc42-2bceadf2...   \n",
       "1  relationship--2d95ed6f-52e7-4708-af15-9a6c0839...   \n",
       "2  relationship--83379e43-4bc5-4c49-b0b3-f41161e8...   \n",
       "3  relationship--1aafdefb-304e-4998-87cc-81aad295...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'FireEye TRITON 2019', 'descr...   \n",
       "1  [{'source_name': 'FireEye TRITON 2019', 'descr...   \n",
       "2                                                NaN   \n",
       "3                                                NaN   \n",
       "\n",
       "                   modified  \\\n",
       "0  2019-04-29T18:59:16.596Z   \n",
       "1  2019-04-29T18:59:16.595Z   \n",
       "2  2019-02-19T18:56:56.770Z   \n",
       "3  2019-02-19T18:56:56.136Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...              uses   \n",
       "1  intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...              uses   \n",
       "2  attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...        related-to   \n",
       "3  attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...        related-to   \n",
       "\n",
       "                                          target_ref  \n",
       "0  attack-pattern--20a66013-8dab-4ca3-a67d-766c84...  \n",
       "1  attack-pattern--795c1a92-3a26-453e-b99a-6a566a...  \n",
       "2  attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...  \n",
       "3  attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...  "
      ]
     },
     "execution_count": 56,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations = []\n",
    "for t in all_pre['relationships']:\n",
    "    relations.append(json.loads(t.serialize()))\n",
    "df = json_normalize(relations)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mobile ATT&CK ONLY from Results (Locally)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Mobile Techniques**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 57,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in Mobile ATT&CK\n",
      "82\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in Mobile ATT&CK\")\n",
    "print(len(all_mobile['techniques']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 58,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>modified</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>id</th>\n",
       "      <th>name</th>\n",
       "      <th>created</th>\n",
       "      <th>type</th>\n",
       "      <th>description</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_tactic_type</th>\n",
       "      <th>x_mitre_detection</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>revoked</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-02-01T17:29:43.503Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'command-and-control', 'kill_c...</td>\n",
       "      <td>attack-pattern--c6a146ae-9c63-4606-97ff-e261e7...</td>\n",
       "      <td>Web Service</td>\n",
       "      <td>2019-02-01T17:29:43.503Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>Adversaries may use an existing, legitimate ex...</td>\n",
       "      <td>[Android, iOS]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-02-03T14:08:44.916Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'initial-access', 'kill_chain_...</td>\n",
       "      <td>attack-pattern--53263a67-075e-48fa-974b-91c5b5...</td>\n",
       "      <td>Deliver Malicious App via Other Means</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>Malicious applications are a common attack vec...</td>\n",
       "      <td>[Android, iOS]</td>\n",
       "      <td>1.1</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>* An EMM/MDM or mobile threat defense solution...</td>\n",
       "      <td>MOB-T1079</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-02-03T17:31:51.215Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'initial-access', 'kill_chain_...</td>\n",
       "      <td>attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c...</td>\n",
       "      <td>Deliver Malicious App via Authorized App Store</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>Malicious applications are a common attack vec...</td>\n",
       "      <td>[Android, iOS]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>* An EMM/MDM or mobile threat defense solution...</td>\n",
       "      <td>MOB-T1078</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'initial-access', 'kill_chain_...</td>\n",
       "      <td>attack-pattern--0d95940f-9583-4e0f-824c-a42c1b...</td>\n",
       "      <td>Supply Chain Compromise</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>As further described in [Supply Chain Compromi...</td>\n",
       "      <td>[Android, iOS]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>* Insecure third-party libraries could be dete...</td>\n",
       "      <td>MOB-T1077</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "1  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "2  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "3  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                   modified                                  created_by_ref  \\\n",
       "0  2019-02-01T17:29:43.503Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  2019-02-03T14:08:44.916Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  2019-02-03T17:31:51.215Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  2018-10-17T00:14:20.652Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'phase_name': 'command-and-control', 'kill_c...   \n",
       "1  [{'phase_name': 'initial-access', 'kill_chain_...   \n",
       "2  [{'phase_name': 'initial-access', 'kill_chain_...   \n",
       "3  [{'phase_name': 'initial-access', 'kill_chain_...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  attack-pattern--c6a146ae-9c63-4606-97ff-e261e7...   \n",
       "1  attack-pattern--53263a67-075e-48fa-974b-91c5b5...   \n",
       "2  attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c...   \n",
       "3  attack-pattern--0d95940f-9583-4e0f-824c-a42c1b...   \n",
       "\n",
       "                                             name                   created  \\\n",
       "0                                     Web Service  2019-02-01T17:29:43.503Z   \n",
       "1           Deliver Malicious App via Other Means  2018-10-17T00:14:20.652Z   \n",
       "2  Deliver Malicious App via Authorized App Store  2018-10-17T00:14:20.652Z   \n",
       "3                         Supply Chain Compromise  2018-10-17T00:14:20.652Z   \n",
       "\n",
       "             type                                        description  \\\n",
       "0  attack-pattern  Adversaries may use an existing, legitimate ex...   \n",
       "1  attack-pattern  Malicious applications are a common attack vec...   \n",
       "2  attack-pattern  Malicious applications are a common attack vec...   \n",
       "3  attack-pattern  As further described in [Supply Chain Compromi...   \n",
       "\n",
       "  x_mitre_platforms x_mitre_version             x_mitre_tactic_type  \\\n",
       "0    [Android, iOS]             1.0  [Post-Adversary Device Access]   \n",
       "1    [Android, iOS]             1.1  [Post-Adversary Device Access]   \n",
       "2    [Android, iOS]             1.0  [Post-Adversary Device Access]   \n",
       "3    [Android, iOS]             1.0  [Post-Adversary Device Access]   \n",
       "\n",
       "                                   x_mitre_detection x_mitre_old_attack_id  \\\n",
       "0                                                NaN                   NaN   \n",
       "1  * An EMM/MDM or mobile threat defense solution...             MOB-T1079   \n",
       "2  * An EMM/MDM or mobile threat defense solution...             MOB-T1078   \n",
       "3  * Insecure third-party libraries could be dete...             MOB-T1077   \n",
       "\n",
       "  revoked  \n",
       "0     NaN  \n",
       "1     NaN  \n",
       "2     NaN  \n",
       "3     NaN  "
      ]
     },
     "execution_count": 58,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques = []\n",
    "for t in all_mobile['techniques']:\n",
    "    techniques.append(json.loads(t.serialize()))\n",
    "df = json_normalize(techniques)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Mobile Mitigations**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 59,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Mitigations in Mobile ATT&CK\n",
      "14\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Mitigations in Mobile ATT&CK\")\n",
    "print(len(all_mobile['mitigations']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 60,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>name</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>x_mitre_version</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>This mitigation describes any guidance or trai...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Application Developer Guidance</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--25dc1ce8-eb55-4333-ae30-a7cb...</td>\n",
       "      <td>[{'external_id': 'M1013', 'source_name': 'mitr...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>2017-10-25T14:48:53.732Z</td>\n",
       "      <td>MOB-M1013</td>\n",
       "      <td>1.0</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>An enterprise mobility management (EMM), also ...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Enterprise Policy</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--649f7268-4c12-483b-ac84-4b7b...</td>\n",
       "      <td>[{'external_id': 'M1012', 'source_name': 'mitr...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>2017-10-25T14:48:53.318Z</td>\n",
       "      <td>MOB-M1012</td>\n",
       "      <td>1.0</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Enable remote attestation capabilities when av...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Attestation</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--ff4821f6-5afb-481b-8c0f-26c2...</td>\n",
       "      <td>[{'external_id': 'M1002', 'source_name': 'mitr...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>2017-10-25T14:48:52.933Z</td>\n",
       "      <td>MOB-M1002</td>\n",
       "      <td>1.0</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>A variety of methods exist that can be used to...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Deploy Compromised Device Detection Method</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--cf2cccb1-cab8-431a-8ecf-f787...</td>\n",
       "      <td>[{'external_id': 'M1010', 'source_name': 'mitr...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>2017-10-25T14:48:52.601Z</td>\n",
       "      <td>MOB-M1010</td>\n",
       "      <td>1.0</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description              type  \\\n",
       "0  This mitigation describes any guidance or trai...  course-of-action   \n",
       "1  An enterprise mobility management (EMM), also ...  course-of-action   \n",
       "2  Enable remote attestation capabilities when av...  course-of-action   \n",
       "3  A variety of methods exist that can be used to...  course-of-action   \n",
       "\n",
       "                                         name  \\\n",
       "0              Application Developer Guidance   \n",
       "1                           Enterprise Policy   \n",
       "2                                 Attestation   \n",
       "3  Deploy Compromised Device Detection Method   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  course-of-action--25dc1ce8-eb55-4333-ae30-a7cb...   \n",
       "1  course-of-action--649f7268-4c12-483b-ac84-4b7b...   \n",
       "2  course-of-action--ff4821f6-5afb-481b-8c0f-26c2...   \n",
       "3  course-of-action--cf2cccb1-cab8-431a-8ecf-f787...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'M1013', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'M1012', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'M1002', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'M1010', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified                   created x_mitre_old_attack_id  \\\n",
       "0  2018-10-17T00:14:20.652Z  2017-10-25T14:48:53.732Z             MOB-M1013   \n",
       "1  2018-10-17T00:14:20.652Z  2017-10-25T14:48:53.318Z             MOB-M1012   \n",
       "2  2018-10-17T00:14:20.652Z  2017-10-25T14:48:52.933Z             MOB-M1002   \n",
       "3  2018-10-17T00:14:20.652Z  2017-10-25T14:48:52.601Z             MOB-M1010   \n",
       "\n",
       "  x_mitre_version  \n",
       "0             1.0  \n",
       "1             1.0  \n",
       "2             1.0  \n",
       "3             1.0  "
      ]
     },
     "execution_count": 60,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mitigations = []\n",
    "for t in all_mobile['mitigations']:\n",
    "    mitigations.append(json.loads(t.serialize()))\n",
    "df = json_normalize(mitigations)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Mobile Groups**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 61,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in Mobile ATT&CK\n",
      "2\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in Mobile ATT&CK\")\n",
    "print(len(all_mobile['groups']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 62,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>aliases</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Dark Caracal</td>\n",
       "      <td>[Dark Caracal](https://attack.mitre.org/groups...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>[Dark Caracal]</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...</td>\n",
       "      <td>[{'external_id': 'G0070', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-16T15:35:20.554Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>APT28</td>\n",
       "      <td>[APT28](https://attack.mitre.org/groups/G0007)...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>[APT28, SNAKEMACKEREL, Swallowtail, Group 74, ...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8...</td>\n",
       "      <td>[{'external_id': 'G0007', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-27T00:09:33.254Z</td>\n",
       "      <td>2017-05-31T21:31:48.664Z</td>\n",
       "      <td>2.1</td>\n",
       "      <td>[Emily Ratliff, IBM, Richard Gold, Digital Sha...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref          name  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  Dark Caracal   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5         APT28   \n",
       "\n",
       "                                         description           type  \\\n",
       "0  [Dark Caracal](https://attack.mitre.org/groups...  intrusion-set   \n",
       "1  [APT28](https://attack.mitre.org/groups/G0007)...  intrusion-set   \n",
       "\n",
       "                                             aliases  \\\n",
       "0                                     [Dark Caracal]   \n",
       "1  [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...   \n",
       "1  intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'G0070', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'G0007', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2019-07-16T15:35:20.554Z  2018-10-17T00:14:20.652Z             1.1   \n",
       "1  2019-07-27T00:09:33.254Z  2017-05-31T21:31:48.664Z             2.1   \n",
       "\n",
       "                                x_mitre_contributors  \n",
       "0                                                NaN  \n",
       "1  [Emily Ratliff, IBM, Richard Gold, Digital Sha...  "
      ]
     },
     "execution_count": 62,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups = []\n",
    "for t in all_mobile['groups']:\n",
    "    groups.append(json.loads(t.serialize()))\n",
    "df = json_normalize(groups)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Mobile Malware**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 63,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Malware in Mobile ATT&CK\n",
      "45\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Malware in Mobile ATT&CK\")\n",
    "print(len(all_mobile['malware']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 64,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>modified</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>name</th>\n",
       "      <th>labels</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Pallas](https://attack.mitre.org/software/S03...</td>\n",
       "      <td>malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878</td>\n",
       "      <td>[{'external_id': 'S0399', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-14T21:33:23.330Z</td>\n",
       "      <td>malware</td>\n",
       "      <td>2019-07-10T15:35:43.217Z</td>\n",
       "      <td>Pallas</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>[Pallas]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Tangelo](https://attack.mitre.org/software/S0...</td>\n",
       "      <td>malware--35aae10a-97c5-471a-9c67-02c231a7a31a</td>\n",
       "      <td>[{'external_id': 'S0329', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-12-11T20:40:31.461Z</td>\n",
       "      <td>malware</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>Tangelo</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>1.1</td>\n",
       "      <td>[iOS]</td>\n",
       "      <td>[Tangelo]</td>\n",
       "      <td>MOB-S0045</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Stealth Mango](https://attack.mitre.org/softw...</td>\n",
       "      <td>malware--085eb36d-697d-4d9a-bac3-96eb879fe73c</td>\n",
       "      <td>[{'external_id': 'S0328', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-12-11T20:40:31.461Z</td>\n",
       "      <td>malware</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>Stealth Mango</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>1.1</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>[Stealth Mango]</td>\n",
       "      <td>MOB-S0044</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Marcher](https://attack.mitre.org/software/S0...</td>\n",
       "      <td>malware--f9854ba6-989d-43bf-828b-7240b8a65291</td>\n",
       "      <td>[{'external_id': 'S0317', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-12-11T20:40:31.461Z</td>\n",
       "      <td>malware</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>Marcher</td>\n",
       "      <td>[malware]</td>\n",
       "      <td>1.1</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>[Marcher]</td>\n",
       "      <td>MOB-S0033</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description  \\\n",
       "0  [Pallas](https://attack.mitre.org/software/S03...   \n",
       "1  [Tangelo](https://attack.mitre.org/software/S0...   \n",
       "2  [Stealth Mango](https://attack.mitre.org/softw...   \n",
       "3  [Marcher](https://attack.mitre.org/software/S0...   \n",
       "\n",
       "                                              id  \\\n",
       "0  malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878   \n",
       "1  malware--35aae10a-97c5-471a-9c67-02c231a7a31a   \n",
       "2  malware--085eb36d-697d-4d9a-bac3-96eb879fe73c   \n",
       "3  malware--f9854ba6-989d-43bf-828b-7240b8a65291   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'S0399', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'S0329', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'S0328', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'S0317', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                   modified     type                   created           name  \\\n",
       "0  2019-07-14T21:33:23.330Z  malware  2019-07-10T15:35:43.217Z         Pallas   \n",
       "1  2018-12-11T20:40:31.461Z  malware  2018-10-17T00:14:20.652Z        Tangelo   \n",
       "2  2018-12-11T20:40:31.461Z  malware  2018-10-17T00:14:20.652Z  Stealth Mango   \n",
       "3  2018-12-11T20:40:31.461Z  malware  2018-10-17T00:14:20.652Z        Marcher   \n",
       "\n",
       "      labels x_mitre_version x_mitre_platforms  x_mitre_aliases  \\\n",
       "0  [malware]             1.0         [Android]         [Pallas]   \n",
       "1  [malware]             1.1             [iOS]        [Tangelo]   \n",
       "2  [malware]             1.1         [Android]  [Stealth Mango]   \n",
       "3  [malware]             1.1         [Android]        [Marcher]   \n",
       "\n",
       "  x_mitre_old_attack_id  \n",
       "0                   NaN  \n",
       "1             MOB-S0045  \n",
       "2             MOB-S0044  \n",
       "3             MOB-S0033  "
      ]
     },
     "execution_count": 64,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "malware = []\n",
    "for t in all_mobile['malware']:\n",
    "    malware.append(json.loads(t.serialize()))\n",
    "df = json_normalize(malware)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Mobile Tools**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 65,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Tools in Mobile ATT&CK\n",
      "1\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Tools in Mobile ATT&CK\")\n",
    "print(len(all_mobile['tools']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 66,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>modified</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>name</th>\n",
       "      <th>labels</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Xbot](https://attack.mitre.org/software/S0298...</td>\n",
       "      <td>tool--da21929e-40c0-443d-bdf4-6b60d15448b4</td>\n",
       "      <td>[{'external_id': 'S0298', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-12-11T20:40:31.461Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2017-10-25T14:48:48.609Z</td>\n",
       "      <td>Xbot</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>MOB-S0014</td>\n",
       "      <td>1.1</td>\n",
       "      <td>[Android]</td>\n",
       "      <td>[Xbot]</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description  \\\n",
       "0  [Xbot](https://attack.mitre.org/software/S0298...   \n",
       "\n",
       "                                           id  \\\n",
       "0  tool--da21929e-40c0-443d-bdf4-6b60d15448b4   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'S0298', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                   modified  type                   created  name  labels  \\\n",
       "0  2018-12-11T20:40:31.461Z  tool  2017-10-25T14:48:48.609Z  Xbot  [tool]   \n",
       "\n",
       "  x_mitre_old_attack_id x_mitre_version x_mitre_platforms x_mitre_aliases  \n",
       "0             MOB-S0014             1.1         [Android]          [Xbot]  "
      ]
     },
     "execution_count": 66,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "tools = []\n",
    "for t in all_mobile['tools']:\n",
    "    tools.append(json.loads(t.serialize()))\n",
    "df = json_normalize(tools)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "**Mobile Relationships**"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 67,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in Mobile ATT&CK\n",
      "322\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in Mobile ATT&CK\")\n",
    "print(len(all_mobile['relationships']))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 68,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>id</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>created</th>\n",
       "      <th>modified</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "      <th>external_references</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>An EMM/MDM can use the Android `DevicePolicyMa...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>relationship--fbd2d4f7-96ff-4624-a567-d4882f0c...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-23T15:35:23.530Z</td>\n",
       "      <td>2019-07-23T15:35:23.530Z</td>\n",
       "      <td>course-of-action--649f7268-4c12-483b-ac84-4b7b...</td>\n",
       "      <td>mitigates</td>\n",
       "      <td>attack-pattern--2204c371-6100-4ae0-82f3-25c07c...</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Dark Caracal](https://attack.mitre.org/groups...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>relationship--61071d73-fcdf-4820-afd0-e3f0983e...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-10T15:42:09.606Z</td>\n",
       "      <td>2019-07-16T15:35:20.953Z</td>\n",
       "      <td>intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--6a3f6490-9c44-40de-b059-e5940f...</td>\n",
       "      <td>[{'source_name': 'Lookout Dark Caracal Jan 201...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Dark Caracal](https://attack.mitre.org/groups...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>relationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-10T15:42:09.591Z</td>\n",
       "      <td>2019-07-16T15:35:21.028Z</td>\n",
       "      <td>intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--53263a67-075e-48fa-974b-91c5b5...</td>\n",
       "      <td>[{'source_name': 'Lookout Dark Caracal Jan 201...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Pallas](https://attack.mitre.org/software/S03...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>relationship--60ecd154-e907-419a-b41d-1a9a1f59...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-10T15:35:43.712Z</td>\n",
       "      <td>2019-07-14T21:33:23.556Z</td>\n",
       "      <td>malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--8e27551a-5080-4148-a584-c64348...</td>\n",
       "      <td>[{'source_name': 'Lookout Dark Caracal Jan 201...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description          type  \\\n",
       "0  An EMM/MDM can use the Android `DevicePolicyMa...  relationship   \n",
       "1  [Dark Caracal](https://attack.mitre.org/groups...  relationship   \n",
       "2  [Dark Caracal](https://attack.mitre.org/groups...  relationship   \n",
       "3  [Pallas](https://attack.mitre.org/software/S03...  relationship   \n",
       "\n",
       "                                                  id  \\\n",
       "0  relationship--fbd2d4f7-96ff-4624-a567-d4882f0c...   \n",
       "1  relationship--61071d73-fcdf-4820-afd0-e3f0983e...   \n",
       "2  relationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa...   \n",
       "3  relationship--60ecd154-e907-419a-b41d-1a9a1f59...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                    created                  modified  \\\n",
       "0  2019-07-23T15:35:23.530Z  2019-07-23T15:35:23.530Z   \n",
       "1  2019-07-10T15:42:09.606Z  2019-07-16T15:35:20.953Z   \n",
       "2  2019-07-10T15:42:09.591Z  2019-07-16T15:35:21.028Z   \n",
       "3  2019-07-10T15:35:43.712Z  2019-07-14T21:33:23.556Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  course-of-action--649f7268-4c12-483b-ac84-4b7b...         mitigates   \n",
       "1  intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...              uses   \n",
       "2  intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...              uses   \n",
       "3      malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878              uses   \n",
       "\n",
       "                                          target_ref  \\\n",
       "0  attack-pattern--2204c371-6100-4ae0-82f3-25c07c...   \n",
       "1  attack-pattern--6a3f6490-9c44-40de-b059-e5940f...   \n",
       "2  attack-pattern--53263a67-075e-48fa-974b-91c5b5...   \n",
       "3  attack-pattern--8e27551a-5080-4148-a584-c64348...   \n",
       "\n",
       "                                 external_references  \n",
       "0                                                NaN  \n",
       "1  [{'source_name': 'Lookout Dark Caracal Jan 201...  \n",
       "2  [{'source_name': 'Lookout Dark Caracal Jan 201...  \n",
       "3  [{'source_name': 'Lookout Dark Caracal Jan 201...  "
      ]
     },
     "execution_count": 68,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations = []\n",
    "for t in all_mobile['relationships']:\n",
    "    relations.append(json.loads(t.serialize()))\n",
    "df = json_normalize(relations)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## **Get STIX Object Types Directly from TAXII Server (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**\n",
    "* In this section, we will query the ATT&CK TAXII Server directly in order to collect specific stix object types such as techniques, mitigations, groups, malware, tools and relationships from the Enterprise, PRE and Mobile Matrices.\n",
    "* There is no need to get all the stix objects available per each matrix unlike the first section of this notebook."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Enterprise Techniques ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 69,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in Enterprise ATT&CK\n",
      "244\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in Enterprise ATT&CK\")\n",
    "techniques = lift.get_enterprise_techniques()\n",
    "print(len(techniques))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 70,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>id</th>\n",
       "      <th>name</th>\n",
       "      <th>created</th>\n",
       "      <th>description</th>\n",
       "      <th>...</th>\n",
       "      <th>x_mitre_data_sources</th>\n",
       "      <th>x_mitre_detection</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_system_requirements</th>\n",
       "      <th>x_mitre_defense_bypassed</th>\n",
       "      <th>x_mitre_impact_type</th>\n",
       "      <th>x_mitre_remote_support</th>\n",
       "      <th>x_mitre_effective_permissions</th>\n",
       "      <th>x_mitre_network_requirements</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'external_id': 'T1500', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>2019-04-29T21:13:49.686Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'defense-evasion', 'kill_chain...</td>\n",
       "      <td>attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120...</td>\n",
       "      <td>Compile After Delivery</td>\n",
       "      <td>2019-04-25T20:53:07.719Z</td>\n",
       "      <td>Adversaries may attempt to make payloads diffi...</td>\n",
       "      <td>...</td>\n",
       "      <td>[Process command-line parameters, Process moni...</td>\n",
       "      <td>Monitor the execution file paths and command-l...</td>\n",
       "      <td>[Linux, macOS, Windows]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Compiler software (either native to the syste...</td>\n",
       "      <td>[Static File Analysis, Binary Analysis, Anti-v...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'external_id': 'T1501', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>2019-04-29T14:14:08.450Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'persistence', 'kill_chain_nam...</td>\n",
       "      <td>attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303...</td>\n",
       "      <td>Systemd Service</td>\n",
       "      <td>2019-04-23T15:34:30.008Z</td>\n",
       "      <td>Systemd services can be used to establish pers...</td>\n",
       "      <td>...</td>\n",
       "      <td>[Process command-line parameters, Process moni...</td>\n",
       "      <td>Systemd service unit files may be detected by ...</td>\n",
       "      <td>[Linux]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'external_id': 'T1499', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>2019-04-29T13:20:36.795Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'impact', 'kill_chain_name': '...</td>\n",
       "      <td>attack-pattern--c675646d-e204-4aa8-978d-e3d6d6...</td>\n",
       "      <td>Endpoint Denial of Service</td>\n",
       "      <td>2019-04-18T11:00:55.862Z</td>\n",
       "      <td>Adversaries may perform Endpoint Denial of Ser...</td>\n",
       "      <td>...</td>\n",
       "      <td>[SSL/TLS inspection, Web logs, Web application...</td>\n",
       "      <td>Detection of Endpoint DoS can sometimes be ach...</td>\n",
       "      <td>[Linux, macOS, Windows]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>[Availability]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'external_id': 'T1497', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>2019-06-10T17:37:37.138Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'defense-evasion', 'kill_chain...</td>\n",
       "      <td>attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f...</td>\n",
       "      <td>Virtualization/Sandbox Evasion</td>\n",
       "      <td>2019-04-17T22:22:24.505Z</td>\n",
       "      <td>Adversaries may check for the presence of a vi...</td>\n",
       "      <td>...</td>\n",
       "      <td>[Process monitoring, Process command-line para...</td>\n",
       "      <td>Virtualization, sandbox, and related discovery...</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>[Anti-virus, Host forensic analysis, Signature...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>4 rows × 22 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'external_id': 'T1500', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'T1501', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'T1499', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'T1497', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs            type  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "\n",
       "                   modified                                  created_by_ref  \\\n",
       "0  2019-04-29T21:13:49.686Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  2019-04-29T14:14:08.450Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  2019-04-29T13:20:36.795Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  2019-06-10T17:37:37.138Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'phase_name': 'defense-evasion', 'kill_chain...   \n",
       "1  [{'phase_name': 'persistence', 'kill_chain_nam...   \n",
       "2  [{'phase_name': 'impact', 'kill_chain_name': '...   \n",
       "3  [{'phase_name': 'defense-evasion', 'kill_chain...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120...   \n",
       "1  attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303...   \n",
       "2  attack-pattern--c675646d-e204-4aa8-978d-e3d6d6...   \n",
       "3  attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f...   \n",
       "\n",
       "                             name                   created  \\\n",
       "0          Compile After Delivery  2019-04-25T20:53:07.719Z   \n",
       "1                 Systemd Service  2019-04-23T15:34:30.008Z   \n",
       "2      Endpoint Denial of Service  2019-04-18T11:00:55.862Z   \n",
       "3  Virtualization/Sandbox Evasion  2019-04-17T22:22:24.505Z   \n",
       "\n",
       "                                         description  ...  \\\n",
       "0  Adversaries may attempt to make payloads diffi...  ...   \n",
       "1  Systemd services can be used to establish pers...  ...   \n",
       "2  Adversaries may perform Endpoint Denial of Ser...  ...   \n",
       "3  Adversaries may check for the presence of a vi...  ...   \n",
       "\n",
       "                                x_mitre_data_sources  \\\n",
       "0  [Process command-line parameters, Process moni...   \n",
       "1  [Process command-line parameters, Process moni...   \n",
       "2  [SSL/TLS inspection, Web logs, Web application...   \n",
       "3  [Process monitoring, Process command-line para...   \n",
       "\n",
       "                                   x_mitre_detection        x_mitre_platforms  \\\n",
       "0  Monitor the execution file paths and command-l...  [Linux, macOS, Windows]   \n",
       "1  Systemd service unit files may be detected by ...                  [Linux]   \n",
       "2  Detection of Endpoint DoS can sometimes be ach...  [Linux, macOS, Windows]   \n",
       "3  Virtualization, sandbox, and related discovery...                [Windows]   \n",
       "\n",
       "  x_mitre_version                        x_mitre_system_requirements  \\\n",
       "0             1.0  [Compiler software (either native to the syste...   \n",
       "1             1.0                                                NaN   \n",
       "2             1.0                                                NaN   \n",
       "3             1.0                                                NaN   \n",
       "\n",
       "                            x_mitre_defense_bypassed x_mitre_impact_type  \\\n",
       "0  [Static File Analysis, Binary Analysis, Anti-v...                 NaN   \n",
       "1                                                NaN                 NaN   \n",
       "2                                                NaN      [Availability]   \n",
       "3  [Anti-virus, Host forensic analysis, Signature...                 NaN   \n",
       "\n",
       "  x_mitre_remote_support x_mitre_effective_permissions  \\\n",
       "0                    NaN                           NaN   \n",
       "1                    NaN                           NaN   \n",
       "2                    NaN                           NaN   \n",
       "3                    NaN                           NaN   \n",
       "\n",
       "  x_mitre_network_requirements  \n",
       "0                          NaN  \n",
       "1                          NaN  \n",
       "2                          NaN  \n",
       "3                          NaN  \n",
       "\n",
       "[4 rows x 22 columns]"
      ]
     },
     "execution_count": 70,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques_list = []\n",
    "for t in techniques:\n",
    "    techniques_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(techniques_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All PRE Techniques ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 71,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in PRE-ATT&CK\n",
      "174\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in PRE-ATT&CK\")\n",
    "techniques = lift.get_pre_techniques()\n",
    "print(len(techniques))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 72,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>modified</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>id</th>\n",
       "      <th>name</th>\n",
       "      <th>created</th>\n",
       "      <th>type</th>\n",
       "      <th>description</th>\n",
       "      <th>x_mitre_detectable_by_common_defenses</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_difficulty_for_adversary_explanation</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>x_mitre_difficulty_for_adversary</th>\n",
       "      <th>x_mitre_detectable_by_common_defenses_explanation</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'technical-information-gatheri...</td>\n",
       "      <td>attack-pattern--b182f29c-2505-4b32-a000-0440ef...</td>\n",
       "      <td>Spearphishing for Information</td>\n",
       "      <td>2018-04-18T17:59:24.739Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>Spearphishing for information is a specific va...</td>\n",
       "      <td>Partial</td>\n",
       "      <td>1.0</td>\n",
       "      <td>Sending emails is trivial, and, over time, an ...</td>\n",
       "      <td>PRE-T1174</td>\n",
       "      <td>Yes</td>\n",
       "      <td>Depending on the specific method of phishing, ...</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'adversary-opsec', 'kill_chain...</td>\n",
       "      <td>attack-pattern--286cc500-4291-45c2-99a1-e760db...</td>\n",
       "      <td>Acquire and/or use 3rd party infrastructure se...</td>\n",
       "      <td>2017-12-14T16:46:06.044Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>A wide variety of cloud, virtual private servi...</td>\n",
       "      <td>No</td>\n",
       "      <td>1.0</td>\n",
       "      <td>Wide range of 3rd party services for hosting, ...</td>\n",
       "      <td>PRE-T1084</td>\n",
       "      <td>Yes</td>\n",
       "      <td>3rd party services highly leveraged by legitim...</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'people-information-gathering'...</td>\n",
       "      <td>attack-pattern--b3f36317-3940-4d71-968f-e11ac1...</td>\n",
       "      <td>Aggregate individual's digital footprint</td>\n",
       "      <td>2017-12-14T16:46:06.044Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>In addition to a target's social media presenc...</td>\n",
       "      <td>No</td>\n",
       "      <td>1.0</td>\n",
       "      <td>Information readily available through searches</td>\n",
       "      <td>PRE-T1052</td>\n",
       "      <td>Yes</td>\n",
       "      <td>Searching publicly available sources that cann...</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'technical-weakness-identifica...</td>\n",
       "      <td>attack-pattern--a1e8d61b-22e1-4983-8485-964201...</td>\n",
       "      <td>Analyze hardware/software security defensive c...</td>\n",
       "      <td>2017-12-14T16:46:06.044Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>An adversary can probe a victim's network to d...</td>\n",
       "      <td>No</td>\n",
       "      <td>1.0</td>\n",
       "      <td>Analyze network traffic to determine security ...</td>\n",
       "      <td>PRE-T1071</td>\n",
       "      <td>Yes</td>\n",
       "      <td>This can be done offline after the data has be...</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "1  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "2  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "3  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                   modified                                  created_by_ref  \\\n",
       "0  2018-10-17T00:14:20.652Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  2018-10-17T00:14:20.652Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  2018-10-17T00:14:20.652Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  2018-10-17T00:14:20.652Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'phase_name': 'technical-information-gatheri...   \n",
       "1  [{'phase_name': 'adversary-opsec', 'kill_chain...   \n",
       "2  [{'phase_name': 'people-information-gathering'...   \n",
       "3  [{'phase_name': 'technical-weakness-identifica...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  attack-pattern--b182f29c-2505-4b32-a000-0440ef...   \n",
       "1  attack-pattern--286cc500-4291-45c2-99a1-e760db...   \n",
       "2  attack-pattern--b3f36317-3940-4d71-968f-e11ac1...   \n",
       "3  attack-pattern--a1e8d61b-22e1-4983-8485-964201...   \n",
       "\n",
       "                                                name  \\\n",
       "0                      Spearphishing for Information   \n",
       "1  Acquire and/or use 3rd party infrastructure se...   \n",
       "2           Aggregate individual's digital footprint   \n",
       "3  Analyze hardware/software security defensive c...   \n",
       "\n",
       "                    created            type  \\\n",
       "0  2018-04-18T17:59:24.739Z  attack-pattern   \n",
       "1  2017-12-14T16:46:06.044Z  attack-pattern   \n",
       "2  2017-12-14T16:46:06.044Z  attack-pattern   \n",
       "3  2017-12-14T16:46:06.044Z  attack-pattern   \n",
       "\n",
       "                                         description  \\\n",
       "0  Spearphishing for information is a specific va...   \n",
       "1  A wide variety of cloud, virtual private servi...   \n",
       "2  In addition to a target's social media presenc...   \n",
       "3  An adversary can probe a victim's network to d...   \n",
       "\n",
       "  x_mitre_detectable_by_common_defenses x_mitre_version  \\\n",
       "0                               Partial             1.0   \n",
       "1                                    No             1.0   \n",
       "2                                    No             1.0   \n",
       "3                                    No             1.0   \n",
       "\n",
       "        x_mitre_difficulty_for_adversary_explanation x_mitre_old_attack_id  \\\n",
       "0  Sending emails is trivial, and, over time, an ...             PRE-T1174   \n",
       "1  Wide range of 3rd party services for hosting, ...             PRE-T1084   \n",
       "2     Information readily available through searches             PRE-T1052   \n",
       "3  Analyze network traffic to determine security ...             PRE-T1071   \n",
       "\n",
       "  x_mitre_difficulty_for_adversary  \\\n",
       "0                              Yes   \n",
       "1                              Yes   \n",
       "2                              Yes   \n",
       "3                              Yes   \n",
       "\n",
       "   x_mitre_detectable_by_common_defenses_explanation x_mitre_deprecated  \n",
       "0  Depending on the specific method of phishing, ...                NaN  \n",
       "1  3rd party services highly leveraged by legitim...                NaN  \n",
       "2  Searching publicly available sources that cann...                NaN  \n",
       "3  This can be done offline after the data has be...                NaN  "
      ]
     },
     "execution_count": 72,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques_list = []\n",
    "for t in techniques:\n",
    "    techniques_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(techniques_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mobile Techniques ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 73,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in Mobile ATT&CK\n",
      "82\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in Mobile ATT&CK\")\n",
    "techniques = lift.get_mobile_techniques()\n",
    "print(len(techniques))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 74,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>modified</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>id</th>\n",
       "      <th>name</th>\n",
       "      <th>created</th>\n",
       "      <th>type</th>\n",
       "      <th>description</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_tactic_type</th>\n",
       "      <th>x_mitre_detection</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>revoked</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-02-01T17:29:43.503Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'command-and-control', 'kill_c...</td>\n",
       "      <td>attack-pattern--c6a146ae-9c63-4606-97ff-e261e7...</td>\n",
       "      <td>Web Service</td>\n",
       "      <td>2019-02-01T17:29:43.503Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>Adversaries may use an existing, legitimate ex...</td>\n",
       "      <td>[Android, iOS]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-02-03T14:08:44.916Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'initial-access', 'kill_chain_...</td>\n",
       "      <td>attack-pattern--53263a67-075e-48fa-974b-91c5b5...</td>\n",
       "      <td>Deliver Malicious App via Other Means</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>Malicious applications are a common attack vec...</td>\n",
       "      <td>[Android, iOS]</td>\n",
       "      <td>1.1</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>* An EMM/MDM or mobile threat defense solution...</td>\n",
       "      <td>MOB-T1079</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-02-03T17:31:51.215Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'initial-access', 'kill_chain_...</td>\n",
       "      <td>attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c...</td>\n",
       "      <td>Deliver Malicious App via Authorized App Store</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>Malicious applications are a common attack vec...</td>\n",
       "      <td>[Android, iOS]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>* An EMM/MDM or mobile threat defense solution...</td>\n",
       "      <td>MOB-T1078</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'url': 'https://attack.mitre.org/techniques/...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'initial-access', 'kill_chain_...</td>\n",
       "      <td>attack-pattern--0d95940f-9583-4e0f-824c-a42c1b...</td>\n",
       "      <td>Supply Chain Compromise</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>As further described in [Supply Chain Compromi...</td>\n",
       "      <td>[Android, iOS]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Post-Adversary Device Access]</td>\n",
       "      <td>* Insecure third-party libraries could be dete...</td>\n",
       "      <td>MOB-T1077</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "1  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "2  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "3  [{'url': 'https://attack.mitre.org/techniques/...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                   modified                                  created_by_ref  \\\n",
       "0  2019-02-01T17:29:43.503Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  2019-02-03T14:08:44.916Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  2019-02-03T17:31:51.215Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  2018-10-17T00:14:20.652Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'phase_name': 'command-and-control', 'kill_c...   \n",
       "1  [{'phase_name': 'initial-access', 'kill_chain_...   \n",
       "2  [{'phase_name': 'initial-access', 'kill_chain_...   \n",
       "3  [{'phase_name': 'initial-access', 'kill_chain_...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  attack-pattern--c6a146ae-9c63-4606-97ff-e261e7...   \n",
       "1  attack-pattern--53263a67-075e-48fa-974b-91c5b5...   \n",
       "2  attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c...   \n",
       "3  attack-pattern--0d95940f-9583-4e0f-824c-a42c1b...   \n",
       "\n",
       "                                             name                   created  \\\n",
       "0                                     Web Service  2019-02-01T17:29:43.503Z   \n",
       "1           Deliver Malicious App via Other Means  2018-10-17T00:14:20.652Z   \n",
       "2  Deliver Malicious App via Authorized App Store  2018-10-17T00:14:20.652Z   \n",
       "3                         Supply Chain Compromise  2018-10-17T00:14:20.652Z   \n",
       "\n",
       "             type                                        description  \\\n",
       "0  attack-pattern  Adversaries may use an existing, legitimate ex...   \n",
       "1  attack-pattern  Malicious applications are a common attack vec...   \n",
       "2  attack-pattern  Malicious applications are a common attack vec...   \n",
       "3  attack-pattern  As further described in [Supply Chain Compromi...   \n",
       "\n",
       "  x_mitre_platforms x_mitre_version             x_mitre_tactic_type  \\\n",
       "0    [Android, iOS]             1.0  [Post-Adversary Device Access]   \n",
       "1    [Android, iOS]             1.1  [Post-Adversary Device Access]   \n",
       "2    [Android, iOS]             1.0  [Post-Adversary Device Access]   \n",
       "3    [Android, iOS]             1.0  [Post-Adversary Device Access]   \n",
       "\n",
       "                                   x_mitre_detection x_mitre_old_attack_id  \\\n",
       "0                                                NaN                   NaN   \n",
       "1  * An EMM/MDM or mobile threat defense solution...             MOB-T1079   \n",
       "2  * An EMM/MDM or mobile threat defense solution...             MOB-T1078   \n",
       "3  * Insecure third-party libraries could be dete...             MOB-T1077   \n",
       "\n",
       "  revoked  \n",
       "0     NaN  \n",
       "1     NaN  \n",
       "2     NaN  \n",
       "3     NaN  "
      ]
     },
     "execution_count": 74,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques_list = []\n",
    "for t in techniques:\n",
    "    techniques_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(techniques_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Techniques (TAXII)\n",
    "* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information\n",
    "* Mitigations information has its own stix object type (Mitigation) that needs to be correlated with the help of relationship properties\n",
    "* There is a function already created in this library named **get_techniques_with_mitigations()** that allows you to get a more complete view of techniques"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 75,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Techniques in ATT&CK\n",
      "500\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Techniques in ATT&CK\")\n",
    "techniques = lift.get_techniques()\n",
    "print(len(techniques))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 76,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>type</th>\n",
       "      <th>modified</th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>kill_chain_phases</th>\n",
       "      <th>id</th>\n",
       "      <th>name</th>\n",
       "      <th>created</th>\n",
       "      <th>description</th>\n",
       "      <th>...</th>\n",
       "      <th>x_mitre_effective_permissions</th>\n",
       "      <th>x_mitre_network_requirements</th>\n",
       "      <th>x_mitre_detectable_by_common_defenses</th>\n",
       "      <th>x_mitre_difficulty_for_adversary_explanation</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>x_mitre_difficulty_for_adversary</th>\n",
       "      <th>x_mitre_detectable_by_common_defenses_explanation</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "      <th>x_mitre_tactic_type</th>\n",
       "      <th>revoked</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>[{'external_id': 'T1500', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>2019-04-29T21:13:49.686Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'defense-evasion', 'kill_chain...</td>\n",
       "      <td>attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120...</td>\n",
       "      <td>Compile After Delivery</td>\n",
       "      <td>2019-04-25T20:53:07.719Z</td>\n",
       "      <td>Adversaries may attempt to make payloads diffi...</td>\n",
       "      <td>...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>[{'external_id': 'T1501', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>2019-04-29T14:14:08.450Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'persistence', 'kill_chain_nam...</td>\n",
       "      <td>attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303...</td>\n",
       "      <td>Systemd Service</td>\n",
       "      <td>2019-04-23T15:34:30.008Z</td>\n",
       "      <td>Systemd services can be used to establish pers...</td>\n",
       "      <td>...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>[{'external_id': 'T1499', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>2019-04-29T13:20:36.795Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'impact', 'kill_chain_name': '...</td>\n",
       "      <td>attack-pattern--c675646d-e204-4aa8-978d-e3d6d6...</td>\n",
       "      <td>Endpoint Denial of Service</td>\n",
       "      <td>2019-04-18T11:00:55.862Z</td>\n",
       "      <td>Adversaries may perform Endpoint Denial of Ser...</td>\n",
       "      <td>...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>[{'external_id': 'T1497', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>attack-pattern</td>\n",
       "      <td>2019-06-10T17:37:37.138Z</td>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[{'phase_name': 'defense-evasion', 'kill_chain...</td>\n",
       "      <td>attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f...</td>\n",
       "      <td>Virtualization/Sandbox Evasion</td>\n",
       "      <td>2019-04-17T22:22:24.505Z</td>\n",
       "      <td>Adversaries may check for the presence of a vi...</td>\n",
       "      <td>...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>4 rows × 30 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "                                 external_references  \\\n",
       "0  [{'external_id': 'T1500', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'T1501', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'T1499', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'T1497', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs            type  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...  attack-pattern   \n",
       "\n",
       "                   modified                                  created_by_ref  \\\n",
       "0  2019-04-29T21:13:49.686Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  2019-04-29T14:14:08.450Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  2019-04-29T13:20:36.795Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  2019-06-10T17:37:37.138Z  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                   kill_chain_phases  \\\n",
       "0  [{'phase_name': 'defense-evasion', 'kill_chain...   \n",
       "1  [{'phase_name': 'persistence', 'kill_chain_nam...   \n",
       "2  [{'phase_name': 'impact', 'kill_chain_name': '...   \n",
       "3  [{'phase_name': 'defense-evasion', 'kill_chain...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120...   \n",
       "1  attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303...   \n",
       "2  attack-pattern--c675646d-e204-4aa8-978d-e3d6d6...   \n",
       "3  attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f...   \n",
       "\n",
       "                             name                   created  \\\n",
       "0          Compile After Delivery  2019-04-25T20:53:07.719Z   \n",
       "1                 Systemd Service  2019-04-23T15:34:30.008Z   \n",
       "2      Endpoint Denial of Service  2019-04-18T11:00:55.862Z   \n",
       "3  Virtualization/Sandbox Evasion  2019-04-17T22:22:24.505Z   \n",
       "\n",
       "                                         description  ...  \\\n",
       "0  Adversaries may attempt to make payloads diffi...  ...   \n",
       "1  Systemd services can be used to establish pers...  ...   \n",
       "2  Adversaries may perform Endpoint Denial of Ser...  ...   \n",
       "3  Adversaries may check for the presence of a vi...  ...   \n",
       "\n",
       "  x_mitre_effective_permissions x_mitre_network_requirements  \\\n",
       "0                           NaN                          NaN   \n",
       "1                           NaN                          NaN   \n",
       "2                           NaN                          NaN   \n",
       "3                           NaN                          NaN   \n",
       "\n",
       "  x_mitre_detectable_by_common_defenses  \\\n",
       "0                                   NaN   \n",
       "1                                   NaN   \n",
       "2                                   NaN   \n",
       "3                                   NaN   \n",
       "\n",
       "  x_mitre_difficulty_for_adversary_explanation x_mitre_old_attack_id  \\\n",
       "0                                          NaN                   NaN   \n",
       "1                                          NaN                   NaN   \n",
       "2                                          NaN                   NaN   \n",
       "3                                          NaN                   NaN   \n",
       "\n",
       "  x_mitre_difficulty_for_adversary  \\\n",
       "0                              NaN   \n",
       "1                              NaN   \n",
       "2                              NaN   \n",
       "3                              NaN   \n",
       "\n",
       "  x_mitre_detectable_by_common_defenses_explanation x_mitre_deprecated  \\\n",
       "0                                               NaN                NaN   \n",
       "1                                               NaN                NaN   \n",
       "2                                               NaN                NaN   \n",
       "3                                               NaN                NaN   \n",
       "\n",
       "  x_mitre_tactic_type revoked  \n",
       "0                 NaN     NaN  \n",
       "1                 NaN     NaN  \n",
       "2                 NaN     NaN  \n",
       "3                 NaN     NaN  \n",
       "\n",
       "[4 rows x 30 columns]"
      ]
     },
     "execution_count": 76,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques_list = []\n",
    "for t in techniques:\n",
    "    techniques_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(techniques_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Enterprise Mitigations ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 77,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Mitigations in Enterprise ATT&CK\n",
      "281\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Mitigations in Enterprise ATT&CK\")\n",
    "mitigations = lift.get_enterprise_mitigations()\n",
    "print(len(mitigations))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 78,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>name</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>This category is to associate techniques that ...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Do Not Mitigate</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--787fb64d-c87b-4ee5-a341-0ef1...</td>\n",
       "      <td>[{'external_id': 'M1055', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-23T14:44:24.727Z</td>\n",
       "      <td>2019-07-19T14:58:42.715Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Implement configuration changes to software (o...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Software Configuration</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...</td>\n",
       "      <td>[{'external_id': 'M1054', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-19T14:57:15.656Z</td>\n",
       "      <td>2019-07-19T14:40:23.529Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Take and store data backups from end user syst...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Data Backup</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...</td>\n",
       "      <td>[{'external_id': 'M1053', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-19T14:33:33.543Z</td>\n",
       "      <td>2019-07-19T14:33:33.543Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Configure Windows User Account Control to miti...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>User Account Control</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--2c2ad92a-d710-41ab-a996-1db1...</td>\n",
       "      <td>[{'external_id': 'M1052', 'source_name': 'mitr...</td>\n",
       "      <td>2019-06-11T17:14:35.170Z</td>\n",
       "      <td>2019-06-11T17:14:35.170Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description              type  \\\n",
       "0  This category is to associate techniques that ...  course-of-action   \n",
       "1  Implement configuration changes to software (o...  course-of-action   \n",
       "2  Take and store data backups from end user syst...  course-of-action   \n",
       "3  Configure Windows User Account Control to miti...  course-of-action   \n",
       "\n",
       "                     name                                object_marking_refs  \\\n",
       "0         Do Not Mitigate  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  Software Configuration  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2             Data Backup  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3    User Account Control  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  course-of-action--787fb64d-c87b-4ee5-a341-0ef1...   \n",
       "1  course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...   \n",
       "2  course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...   \n",
       "3  course-of-action--2c2ad92a-d710-41ab-a996-1db1...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'M1055', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'M1054', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'M1053', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'M1052', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2019-07-23T14:44:24.727Z  2019-07-19T14:58:42.715Z             1.0   \n",
       "1  2019-07-19T14:57:15.656Z  2019-07-19T14:40:23.529Z             1.0   \n",
       "2  2019-07-19T14:33:33.543Z  2019-07-19T14:33:33.543Z             1.0   \n",
       "3  2019-06-11T17:14:35.170Z  2019-06-11T17:14:35.170Z             1.0   \n",
       "\n",
       "  x_mitre_deprecated  \n",
       "0                NaN  \n",
       "1                NaN  \n",
       "2                NaN  \n",
       "3                NaN  "
      ]
     },
     "execution_count": 78,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mitigations_list = []\n",
    "for t in mitigations:\n",
    "    mitigations_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(mitigations_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mobile Mitigations ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 79,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Mitigations in Mobile ATT&CK\n",
      "14\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Mitigations in Mobile ATT&CK\")\n",
    "mitigations = lift.get_mobile_mitigations()\n",
    "print(len(mitigations))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 80,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>name</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>x_mitre_version</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>This mitigation describes any guidance or trai...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Application Developer Guidance</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--25dc1ce8-eb55-4333-ae30-a7cb...</td>\n",
       "      <td>[{'external_id': 'M1013', 'source_name': 'mitr...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>2017-10-25T14:48:53.732Z</td>\n",
       "      <td>MOB-M1013</td>\n",
       "      <td>1.0</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>An enterprise mobility management (EMM), also ...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Enterprise Policy</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--649f7268-4c12-483b-ac84-4b7b...</td>\n",
       "      <td>[{'external_id': 'M1012', 'source_name': 'mitr...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>2017-10-25T14:48:53.318Z</td>\n",
       "      <td>MOB-M1012</td>\n",
       "      <td>1.0</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Enable remote attestation capabilities when av...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Attestation</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--ff4821f6-5afb-481b-8c0f-26c2...</td>\n",
       "      <td>[{'external_id': 'M1002', 'source_name': 'mitr...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>2017-10-25T14:48:52.933Z</td>\n",
       "      <td>MOB-M1002</td>\n",
       "      <td>1.0</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>A variety of methods exist that can be used to...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Deploy Compromised Device Detection Method</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--cf2cccb1-cab8-431a-8ecf-f787...</td>\n",
       "      <td>[{'external_id': 'M1010', 'source_name': 'mitr...</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>2017-10-25T14:48:52.601Z</td>\n",
       "      <td>MOB-M1010</td>\n",
       "      <td>1.0</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description              type  \\\n",
       "0  This mitigation describes any guidance or trai...  course-of-action   \n",
       "1  An enterprise mobility management (EMM), also ...  course-of-action   \n",
       "2  Enable remote attestation capabilities when av...  course-of-action   \n",
       "3  A variety of methods exist that can be used to...  course-of-action   \n",
       "\n",
       "                                         name  \\\n",
       "0              Application Developer Guidance   \n",
       "1                           Enterprise Policy   \n",
       "2                                 Attestation   \n",
       "3  Deploy Compromised Device Detection Method   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  course-of-action--25dc1ce8-eb55-4333-ae30-a7cb...   \n",
       "1  course-of-action--649f7268-4c12-483b-ac84-4b7b...   \n",
       "2  course-of-action--ff4821f6-5afb-481b-8c0f-26c2...   \n",
       "3  course-of-action--cf2cccb1-cab8-431a-8ecf-f787...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'M1013', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'M1012', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'M1002', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'M1010', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified                   created x_mitre_old_attack_id  \\\n",
       "0  2018-10-17T00:14:20.652Z  2017-10-25T14:48:53.732Z             MOB-M1013   \n",
       "1  2018-10-17T00:14:20.652Z  2017-10-25T14:48:53.318Z             MOB-M1012   \n",
       "2  2018-10-17T00:14:20.652Z  2017-10-25T14:48:52.933Z             MOB-M1002   \n",
       "3  2018-10-17T00:14:20.652Z  2017-10-25T14:48:52.601Z             MOB-M1010   \n",
       "\n",
       "  x_mitre_version  \n",
       "0             1.0  \n",
       "1             1.0  \n",
       "2             1.0  \n",
       "3             1.0  "
      ]
     },
     "execution_count": 80,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mitigations_list = []\n",
    "for t in mitigations:\n",
    "    mitigations_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(mitigations_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mitigations (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 81,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Mitigations in ATT&CK\n",
      "295\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Mitigations in ATT&CK\")\n",
    "mitigations = lift.get_mitigations()\n",
    "print(len(mitigations))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 82,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>name</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_deprecated</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>This category is to associate techniques that ...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Do Not Mitigate</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--787fb64d-c87b-4ee5-a341-0ef1...</td>\n",
       "      <td>[{'external_id': 'M1055', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-23T14:44:24.727Z</td>\n",
       "      <td>2019-07-19T14:58:42.715Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Implement configuration changes to software (o...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Software Configuration</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...</td>\n",
       "      <td>[{'external_id': 'M1054', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-19T14:57:15.656Z</td>\n",
       "      <td>2019-07-19T14:40:23.529Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Take and store data backups from end user syst...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>Data Backup</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...</td>\n",
       "      <td>[{'external_id': 'M1053', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-19T14:33:33.543Z</td>\n",
       "      <td>2019-07-19T14:33:33.543Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Configure Windows User Account Control to miti...</td>\n",
       "      <td>course-of-action</td>\n",
       "      <td>User Account Control</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>course-of-action--2c2ad92a-d710-41ab-a996-1db1...</td>\n",
       "      <td>[{'external_id': 'M1052', 'source_name': 'mitr...</td>\n",
       "      <td>2019-06-11T17:14:35.170Z</td>\n",
       "      <td>2019-06-11T17:14:35.170Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description              type  \\\n",
       "0  This category is to associate techniques that ...  course-of-action   \n",
       "1  Implement configuration changes to software (o...  course-of-action   \n",
       "2  Take and store data backups from end user syst...  course-of-action   \n",
       "3  Configure Windows User Account Control to miti...  course-of-action   \n",
       "\n",
       "                     name                                object_marking_refs  \\\n",
       "0         Do Not Mitigate  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  Software Configuration  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2             Data Backup  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3    User Account Control  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  course-of-action--787fb64d-c87b-4ee5-a341-0ef1...   \n",
       "1  course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...   \n",
       "2  course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...   \n",
       "3  course-of-action--2c2ad92a-d710-41ab-a996-1db1...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'M1055', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'M1054', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'M1053', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'M1052', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2019-07-23T14:44:24.727Z  2019-07-19T14:58:42.715Z             1.0   \n",
       "1  2019-07-19T14:57:15.656Z  2019-07-19T14:40:23.529Z             1.0   \n",
       "2  2019-07-19T14:33:33.543Z  2019-07-19T14:33:33.543Z             1.0   \n",
       "3  2019-06-11T17:14:35.170Z  2019-06-11T17:14:35.170Z             1.0   \n",
       "\n",
       "  x_mitre_deprecated x_mitre_old_attack_id  \n",
       "0                NaN                   NaN  \n",
       "1                NaN                   NaN  \n",
       "2                NaN                   NaN  \n",
       "3                NaN                   NaN  "
      ]
     },
     "execution_count": 82,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mitigations_list = []\n",
    "for t in mitigations:\n",
    "    mitigations_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(mitigations_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Enterprise Groups ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 83,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in Enterprise ATT&CK\n",
      "93\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in Enterprise ATT&CK\")\n",
    "groups = lift.get_enterprise_groups()\n",
    "print(len(groups))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All PRE Groups ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 84,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in PRE-ATT&CK\n",
      "7\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in PRE-ATT&CK\")\n",
    "groups = lift.get_pre_groups()\n",
    "print(len(groups))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 85,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>aliases</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>TEMP.Veles</td>\n",
       "      <td>[TEMP.Veles](https://attack.mitre.org/groups/G...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>[TEMP.Veles, XENOTIME]</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...</td>\n",
       "      <td>[{'external_id': 'G0088', 'source_name': 'mitr...</td>\n",
       "      <td>2019-04-29T18:59:16.079Z</td>\n",
       "      <td>2019-04-16T15:14:38.533Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>APT17</td>\n",
       "      <td>[APT17](https://attack.mitre.org/groups/G0025)...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>[APT17, Deputy Dog]</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>intrusion-set--090242d7-73fc-4738-af68-20162f7...</td>\n",
       "      <td>[{'external_id': 'G0025', 'source_name': 'mitr...</td>\n",
       "      <td>2019-03-22T14:21:19.419Z</td>\n",
       "      <td>2017-05-31T21:31:57.307Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>APT16</td>\n",
       "      <td>[APT16](https://attack.mitre.org/groups/G0023)...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>[APT16]</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>intrusion-set--d6e88e18-81e8-4709-82d8-973095d...</td>\n",
       "      <td>[{'external_id': 'G0023', 'source_name': 'mitr...</td>\n",
       "      <td>2019-03-22T14:20:45.561Z</td>\n",
       "      <td>2017-05-31T21:31:56.270Z</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Night Dragon</td>\n",
       "      <td>[Night Dragon](https://attack.mitre.org/groups...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>[Night Dragon]</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e...</td>\n",
       "      <td>[{'external_id': 'G0014', 'source_name': 'mitr...</td>\n",
       "      <td>2019-03-25T14:36:29.638Z</td>\n",
       "      <td>2017-05-31T21:31:51.643Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref          name  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5    TEMP.Veles   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5         APT17   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5         APT16   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  Night Dragon   \n",
       "\n",
       "                                         description           type  \\\n",
       "0  [TEMP.Veles](https://attack.mitre.org/groups/G...  intrusion-set   \n",
       "1  [APT17](https://attack.mitre.org/groups/G0025)...  intrusion-set   \n",
       "2  [APT16](https://attack.mitre.org/groups/G0023)...  intrusion-set   \n",
       "3  [Night Dragon](https://attack.mitre.org/groups...  intrusion-set   \n",
       "\n",
       "                  aliases                                object_marking_refs  \\\n",
       "0  [TEMP.Veles, XENOTIME]  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1     [APT17, Deputy Dog]  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2                 [APT16]  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3          [Night Dragon]  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...   \n",
       "1  intrusion-set--090242d7-73fc-4738-af68-20162f7...   \n",
       "2  intrusion-set--d6e88e18-81e8-4709-82d8-973095d...   \n",
       "3  intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'G0088', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'G0025', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'G0023', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'G0014', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2019-04-29T18:59:16.079Z  2019-04-16T15:14:38.533Z             1.0   \n",
       "1  2019-03-22T14:21:19.419Z  2017-05-31T21:31:57.307Z             1.0   \n",
       "2  2019-03-22T14:20:45.561Z  2017-05-31T21:31:56.270Z             1.0   \n",
       "3  2019-03-25T14:36:29.638Z  2017-05-31T21:31:51.643Z             1.1   \n",
       "\n",
       "  x_mitre_contributors  \n",
       "0                  NaN  \n",
       "1                  NaN  \n",
       "2                  NaN  \n",
       "3                  NaN  "
      ]
     },
     "execution_count": 85,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups_list = []\n",
    "for t in groups:\n",
    "    groups_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(groups_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mobile Groups ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 86,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in Mobile ATT&CK\n",
      "2\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in Mobile ATT&CK\")\n",
    "groups = lift.get_mobile_groups()\n",
    "print(len(groups))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 87,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>name</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>aliases</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>created</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Dark Caracal</td>\n",
       "      <td>[Dark Caracal](https://attack.mitre.org/groups...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>[Dark Caracal]</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...</td>\n",
       "      <td>[{'external_id': 'G0070', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-16T15:35:20.554Z</td>\n",
       "      <td>2018-10-17T00:14:20.652Z</td>\n",
       "      <td>1.1</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>APT28</td>\n",
       "      <td>[APT28](https://attack.mitre.org/groups/G0007)...</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>[APT28, SNAKEMACKEREL, Swallowtail, Group 74, ...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8...</td>\n",
       "      <td>[{'external_id': 'G0007', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-27T00:09:33.254Z</td>\n",
       "      <td>2017-05-31T21:31:48.664Z</td>\n",
       "      <td>2.1</td>\n",
       "      <td>[Emily Ratliff, IBM, Richard Gold, Digital Sha...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref          name  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5  Dark Caracal   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5         APT28   \n",
       "\n",
       "                                         description           type  \\\n",
       "0  [Dark Caracal](https://attack.mitre.org/groups...  intrusion-set   \n",
       "1  [APT28](https://attack.mitre.org/groups/G0007)...  intrusion-set   \n",
       "\n",
       "                                             aliases  \\\n",
       "0                                     [Dark Caracal]   \n",
       "1  [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...   \n",
       "1  intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'G0070', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'G0007', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified                   created x_mitre_version  \\\n",
       "0  2019-07-16T15:35:20.554Z  2018-10-17T00:14:20.652Z             1.1   \n",
       "1  2019-07-27T00:09:33.254Z  2017-05-31T21:31:48.664Z             2.1   \n",
       "\n",
       "                                x_mitre_contributors  \n",
       "0                                                NaN  \n",
       "1  [Emily Ratliff, IBM, Richard Gold, Digital Sha...  "
      ]
     },
     "execution_count": 87,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups_list = []\n",
    "for t in groups:\n",
    "    groups_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(groups_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Groups (TAXII)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "* This function gathers all groups defined in each Matrix (Enterprise, PRE & Mobile) and returns the unique ones\n",
    "  * This is because groups can be repeated across matrices"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 88,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Groups in ATT&CK\n",
      "93\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Groups in ATT&CK\")\n",
    "groups = lift.get_groups()\n",
    "print(len(groups))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 89,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>aliases</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>name</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>revoked</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>Operation [Soft Cell](https://attack.mitre.org...</td>\n",
       "      <td>[Soft Cell]</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>[{'external_id': 'G0093', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-22T15:49:28.637Z</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>2019-07-18T20:47:50.050Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>Soft Cell</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Cybereason Nocturnus, @nocturnus]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[TA505](https://attack.mitre.org/groups/G0092)...</td>\n",
       "      <td>[TA505]</td>\n",
       "      <td>intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb...</td>\n",
       "      <td>[{'external_id': 'G0092', 'source_name': 'mitr...</td>\n",
       "      <td>2019-06-24T19:11:41.060Z</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>2019-05-28T15:54:17.213Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>TA505</td>\n",
       "      <td>1.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Silence](https://attack.mitre.org/groups/G009...</td>\n",
       "      <td>[Silence]</td>\n",
       "      <td>intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb...</td>\n",
       "      <td>[{'external_id': 'G0091', 'source_name': 'mitr...</td>\n",
       "      <td>2019-07-16T16:12:09.085Z</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>2019-05-24T17:57:36.491Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>Silence</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Oleg Skulkin, Group-IB]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[WIRTE](https://attack.mitre.org/groups/G0090)...</td>\n",
       "      <td>[WIRTE]</td>\n",
       "      <td>intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3...</td>\n",
       "      <td>[{'external_id': 'G0090', 'source_name': 'mitr...</td>\n",
       "      <td>2019-06-20T15:30:38.517Z</td>\n",
       "      <td>intrusion-set</td>\n",
       "      <td>2019-05-24T17:02:44.226Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>WIRTE</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Lab52 by S2 Grupo]</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description      aliases  \\\n",
       "0  Operation [Soft Cell](https://attack.mitre.org...  [Soft Cell]   \n",
       "1  [TA505](https://attack.mitre.org/groups/G0092)...      [TA505]   \n",
       "2  [Silence](https://attack.mitre.org/groups/G009...    [Silence]   \n",
       "3  [WIRTE](https://attack.mitre.org/groups/G0090)...      [WIRTE]   \n",
       "\n",
       "                                                  id  \\\n",
       "0  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...   \n",
       "1  intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb...   \n",
       "2  intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb...   \n",
       "3  intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'G0093', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'G0092', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'G0091', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'G0090', 'source_name': 'mitr...   \n",
       "\n",
       "                   modified           type                   created  \\\n",
       "0  2019-07-22T15:49:28.637Z  intrusion-set  2019-07-18T20:47:50.050Z   \n",
       "1  2019-06-24T19:11:41.060Z  intrusion-set  2019-05-28T15:54:17.213Z   \n",
       "2  2019-07-16T16:12:09.085Z  intrusion-set  2019-05-24T17:57:36.491Z   \n",
       "3  2019-06-20T15:30:38.517Z  intrusion-set  2019-05-24T17:02:44.226Z   \n",
       "\n",
       "                                 object_marking_refs       name  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...  Soft Cell   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...      TA505   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...    Silence   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...      WIRTE   \n",
       "\n",
       "  x_mitre_version                x_mitre_contributors revoked  \n",
       "0             1.0  [Cybereason Nocturnus, @nocturnus]     NaN  \n",
       "1             1.0                                 NaN     NaN  \n",
       "2             1.0            [Oleg Skulkin, Group-IB]     NaN  \n",
       "3             1.0                 [Lab52 by S2 Grupo]     NaN  "
      ]
     },
     "execution_count": 89,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "groups_list = []\n",
    "for t in groups:\n",
    "    groups_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(groups_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Enterprise & Mobile Software (Malware & Tools) (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 90,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Software in ATT&CK\n",
      "398\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Software in ATT&CK\")\n",
    "software = lift.get_software()\n",
    "print(len(software))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Enterprise Relationships ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 91,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>modified</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>name</th>\n",
       "      <th>labels</th>\n",
       "      <th>x_mitre_version</th>\n",
       "      <th>x_mitre_platforms</th>\n",
       "      <th>x_mitre_aliases</th>\n",
       "      <th>x_mitre_contributors</th>\n",
       "      <th>x_mitre_old_attack_id</th>\n",
       "      <th>revoked</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[PoshC2](https://attack.mitre.org/software/S03...</td>\n",
       "      <td>tool--4b57c098-f043-4da2-83ef-7588a6d426bc</td>\n",
       "      <td>[{'external_id': 'S0378', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-04-23T18:29:12.005Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2019-04-23T12:31:58.125Z</td>\n",
       "      <td>PoshC2</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows, Linux, macOS]</td>\n",
       "      <td>[PoshC2]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[RawDisk](https://attack.mitre.org/software/S0...</td>\n",
       "      <td>tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079</td>\n",
       "      <td>[{'external_id': 'S0364', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-04-19T19:04:55.892Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2019-03-25T12:30:40.919Z</td>\n",
       "      <td>RawDisk</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[RawDisk]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Empire](https://attack.mitre.org/software/S03...</td>\n",
       "      <td>tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3</td>\n",
       "      <td>[{'external_id': 'S0363', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-06-24T17:15:43.818Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2019-03-11T14:13:40.648Z</td>\n",
       "      <td>Empire</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Linux, macOS, Windows]</td>\n",
       "      <td>[Empire, EmPyre, PowerShell Empire]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Expand](https://attack.mitre.org/software/S03...</td>\n",
       "      <td>tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973</td>\n",
       "      <td>[{'external_id': 'S0361', 'source_name': 'mitr...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-04-19T18:52:30.033Z</td>\n",
       "      <td>tool</td>\n",
       "      <td>2019-02-19T19:17:14.971Z</td>\n",
       "      <td>Expand</td>\n",
       "      <td>[tool]</td>\n",
       "      <td>1.0</td>\n",
       "      <td>[Windows]</td>\n",
       "      <td>[Expand]</td>\n",
       "      <td>[Matthew Demaske, Adaptforward]</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description  \\\n",
       "0  [PoshC2](https://attack.mitre.org/software/S03...   \n",
       "1  [RawDisk](https://attack.mitre.org/software/S0...   \n",
       "2  [Empire](https://attack.mitre.org/software/S03...   \n",
       "3  [Expand](https://attack.mitre.org/software/S03...   \n",
       "\n",
       "                                           id  \\\n",
       "0  tool--4b57c098-f043-4da2-83ef-7588a6d426bc   \n",
       "1  tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079   \n",
       "2  tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3   \n",
       "3  tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'external_id': 'S0378', 'source_name': 'mitr...   \n",
       "1  [{'external_id': 'S0364', 'source_name': 'mitr...   \n",
       "2  [{'external_id': 'S0363', 'source_name': 'mitr...   \n",
       "3  [{'external_id': 'S0361', 'source_name': 'mitr...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                   modified  type                   created     name  labels  \\\n",
       "0  2019-04-23T18:29:12.005Z  tool  2019-04-23T12:31:58.125Z   PoshC2  [tool]   \n",
       "1  2019-04-19T19:04:55.892Z  tool  2019-03-25T12:30:40.919Z  RawDisk  [tool]   \n",
       "2  2019-06-24T17:15:43.818Z  tool  2019-03-11T14:13:40.648Z   Empire  [tool]   \n",
       "3  2019-04-19T18:52:30.033Z  tool  2019-02-19T19:17:14.971Z   Expand  [tool]   \n",
       "\n",
       "  x_mitre_version        x_mitre_platforms  \\\n",
       "0             1.0  [Windows, Linux, macOS]   \n",
       "1             1.0                [Windows]   \n",
       "2             1.0  [Linux, macOS, Windows]   \n",
       "3             1.0                [Windows]   \n",
       "\n",
       "                       x_mitre_aliases             x_mitre_contributors  \\\n",
       "0                             [PoshC2]                              NaN   \n",
       "1                            [RawDisk]                              NaN   \n",
       "2  [Empire, EmPyre, PowerShell Empire]                              NaN   \n",
       "3                             [Expand]  [Matthew Demaske, Adaptforward]   \n",
       "\n",
       "  x_mitre_old_attack_id revoked  \n",
       "0                   NaN     NaN  \n",
       "1                   NaN     NaN  \n",
       "2                   NaN     NaN  \n",
       "3                   NaN     NaN  "
      ]
     },
     "execution_count": 91,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "software_list = []\n",
    "for t in software:\n",
    "    software_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(software_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 92,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in Enterprise ATT&CK\n",
      "5675\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in Enterprise ATT&CK\")\n",
    "relationships = lift.get_enterprise_relationships()\n",
    "print(len(relationships))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 93,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:49:28.744Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--380743e5-616c-4524-96e6-d545e5b6...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:28.744Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--92d7da27-2d91-488e-a00c-059dc1...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:35:24.376Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--919f6143-eb8c-48cd-8741-118040c3...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:29.135Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--00d0b012-8a03-410e-95de-5826bf...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:35:24.363Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--ee4d1b24-603f-40df-8f21-3c053fba...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:29.090Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:35:24.351Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--38be247c-74b0-42f3-964e-5f23ef42...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:29.092Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description          type  \\\n",
       "0  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "1  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "2  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "3  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "\n",
       "                    created  \\\n",
       "0  2019-07-22T15:49:28.744Z   \n",
       "1  2019-07-22T15:35:24.376Z   \n",
       "2  2019-07-22T15:35:24.363Z   \n",
       "3  2019-07-22T15:35:24.351Z   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  relationship--380743e5-616c-4524-96e6-d545e5b6...   \n",
       "1  relationship--919f6143-eb8c-48cd-8741-118040c3...   \n",
       "2  relationship--ee4d1b24-603f-40df-8f21-3c053fba...   \n",
       "3  relationship--38be247c-74b0-42f3-964e-5f23ef42...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "1  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "2  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "3  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "\n",
       "                   modified  \\\n",
       "0  2019-07-22T15:49:28.744Z   \n",
       "1  2019-07-22T15:49:29.135Z   \n",
       "2  2019-07-22T15:49:29.090Z   \n",
       "3  2019-07-22T15:49:29.092Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "1  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "2  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "3  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "\n",
       "                                          target_ref  \n",
       "0  attack-pattern--92d7da27-2d91-488e-a00c-059dc1...  \n",
       "1  attack-pattern--00d0b012-8a03-410e-95de-5826bf...  \n",
       "2  attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd...  \n",
       "3  attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841...  "
      ]
     },
     "execution_count": 93,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations_list = []\n",
    "for t in relationships:\n",
    "    relations_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(relations_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All PRE Relationships ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 94,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in PRE-ATT&CK\n",
      "70\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in PRE-ATT&CK\")\n",
    "relationships = lift.get_pre_relationships()\n",
    "print(len(relationships))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 95,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[TEMP.Veles](https://attack.mitre.org/groups/G...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-04-24T19:45:44.212Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--21842707-0f15-43bf-bc42-2bceadf2...</td>\n",
       "      <td>[{'source_name': 'FireEye TRITON 2019', 'descr...</td>\n",
       "      <td>2019-04-29T18:59:16.596Z</td>\n",
       "      <td>intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--20a66013-8dab-4ca3-a67d-766c84...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[TEMP.Veles](https://attack.mitre.org/groups/G...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-04-24T19:45:44.205Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--2d95ed6f-52e7-4708-af15-9a6c0839...</td>\n",
       "      <td>[{'source_name': 'FireEye TRITON 2019', 'descr...</td>\n",
       "      <td>2019-04-29T18:59:16.595Z</td>\n",
       "      <td>intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--795c1a92-3a26-453e-b99a-6a566a...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>NaN</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-02-19T18:56:56.770Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--83379e43-4bc5-4c49-b0b3-f41161e8...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>2019-02-19T18:56:56.770Z</td>\n",
       "      <td>attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...</td>\n",
       "      <td>related-to</td>\n",
       "      <td>attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>NaN</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-02-19T18:56:56.136Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--1aafdefb-304e-4998-87cc-81aad295...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>2019-02-19T18:56:56.136Z</td>\n",
       "      <td>attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...</td>\n",
       "      <td>related-to</td>\n",
       "      <td>attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description          type  \\\n",
       "0  [TEMP.Veles](https://attack.mitre.org/groups/G...  relationship   \n",
       "1  [TEMP.Veles](https://attack.mitre.org/groups/G...  relationship   \n",
       "2                                                NaN  relationship   \n",
       "3                                                NaN  relationship   \n",
       "\n",
       "                    created  \\\n",
       "0  2019-04-24T19:45:44.212Z   \n",
       "1  2019-04-24T19:45:44.205Z   \n",
       "2  2019-02-19T18:56:56.770Z   \n",
       "3  2019-02-19T18:56:56.136Z   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  relationship--21842707-0f15-43bf-bc42-2bceadf2...   \n",
       "1  relationship--2d95ed6f-52e7-4708-af15-9a6c0839...   \n",
       "2  relationship--83379e43-4bc5-4c49-b0b3-f41161e8...   \n",
       "3  relationship--1aafdefb-304e-4998-87cc-81aad295...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'FireEye TRITON 2019', 'descr...   \n",
       "1  [{'source_name': 'FireEye TRITON 2019', 'descr...   \n",
       "2                                                NaN   \n",
       "3                                                NaN   \n",
       "\n",
       "                   modified  \\\n",
       "0  2019-04-29T18:59:16.596Z   \n",
       "1  2019-04-29T18:59:16.595Z   \n",
       "2  2019-02-19T18:56:56.770Z   \n",
       "3  2019-02-19T18:56:56.136Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...              uses   \n",
       "1  intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...              uses   \n",
       "2  attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...        related-to   \n",
       "3  attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...        related-to   \n",
       "\n",
       "                                          target_ref  \n",
       "0  attack-pattern--20a66013-8dab-4ca3-a67d-766c84...  \n",
       "1  attack-pattern--795c1a92-3a26-453e-b99a-6a566a...  \n",
       "2  attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...  \n",
       "3  attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...  "
      ]
     },
     "execution_count": 95,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations_list = []\n",
    "for t in relationships:\n",
    "    relations_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(relations_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Mobile Relationships ONLY (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 96,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in Mobile ATT&CK\n",
      "322\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in Mobile ATT&CK\")\n",
    "relationships = lift.get_mobile_relationships()\n",
    "print(len(relationships))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 97,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>id</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>created</th>\n",
       "      <th>modified</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "      <th>external_references</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>An EMM/MDM can use the Android `DevicePolicyMa...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>relationship--fbd2d4f7-96ff-4624-a567-d4882f0c...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-23T15:35:23.530Z</td>\n",
       "      <td>2019-07-23T15:35:23.530Z</td>\n",
       "      <td>course-of-action--649f7268-4c12-483b-ac84-4b7b...</td>\n",
       "      <td>mitigates</td>\n",
       "      <td>attack-pattern--2204c371-6100-4ae0-82f3-25c07c...</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Dark Caracal](https://attack.mitre.org/groups...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>relationship--61071d73-fcdf-4820-afd0-e3f0983e...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-10T15:42:09.606Z</td>\n",
       "      <td>2019-07-16T15:35:20.953Z</td>\n",
       "      <td>intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--6a3f6490-9c44-40de-b059-e5940f...</td>\n",
       "      <td>[{'source_name': 'Lookout Dark Caracal Jan 201...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Dark Caracal](https://attack.mitre.org/groups...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>relationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-10T15:42:09.591Z</td>\n",
       "      <td>2019-07-16T15:35:21.028Z</td>\n",
       "      <td>intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--53263a67-075e-48fa-974b-91c5b5...</td>\n",
       "      <td>[{'source_name': 'Lookout Dark Caracal Jan 201...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Pallas](https://attack.mitre.org/software/S03...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>relationship--60ecd154-e907-419a-b41d-1a9a1f59...</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>2019-07-10T15:35:43.712Z</td>\n",
       "      <td>2019-07-14T21:33:23.556Z</td>\n",
       "      <td>malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--8e27551a-5080-4148-a584-c64348...</td>\n",
       "      <td>[{'source_name': 'Lookout Dark Caracal Jan 201...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description          type  \\\n",
       "0  An EMM/MDM can use the Android `DevicePolicyMa...  relationship   \n",
       "1  [Dark Caracal](https://attack.mitre.org/groups...  relationship   \n",
       "2  [Dark Caracal](https://attack.mitre.org/groups...  relationship   \n",
       "3  [Pallas](https://attack.mitre.org/software/S03...  relationship   \n",
       "\n",
       "                                                  id  \\\n",
       "0  relationship--fbd2d4f7-96ff-4624-a567-d4882f0c...   \n",
       "1  relationship--61071d73-fcdf-4820-afd0-e3f0983e...   \n",
       "2  relationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa...   \n",
       "3  relationship--60ecd154-e907-419a-b41d-1a9a1f59...   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                    created                  modified  \\\n",
       "0  2019-07-23T15:35:23.530Z  2019-07-23T15:35:23.530Z   \n",
       "1  2019-07-10T15:42:09.606Z  2019-07-16T15:35:20.953Z   \n",
       "2  2019-07-10T15:42:09.591Z  2019-07-16T15:35:21.028Z   \n",
       "3  2019-07-10T15:35:43.712Z  2019-07-14T21:33:23.556Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  course-of-action--649f7268-4c12-483b-ac84-4b7b...         mitigates   \n",
       "1  intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...              uses   \n",
       "2  intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...              uses   \n",
       "3      malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878              uses   \n",
       "\n",
       "                                          target_ref  \\\n",
       "0  attack-pattern--2204c371-6100-4ae0-82f3-25c07c...   \n",
       "1  attack-pattern--6a3f6490-9c44-40de-b059-e5940f...   \n",
       "2  attack-pattern--53263a67-075e-48fa-974b-91c5b5...   \n",
       "3  attack-pattern--8e27551a-5080-4148-a584-c64348...   \n",
       "\n",
       "                                 external_references  \n",
       "0                                                NaN  \n",
       "1  [{'source_name': 'Lookout Dark Caracal Jan 201...  \n",
       "2  [{'source_name': 'Lookout Dark Caracal Jan 201...  \n",
       "3  [{'source_name': 'Lookout Dark Caracal Jan 201...  "
      ]
     },
     "execution_count": 97,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations_list = []\n",
    "for t in relationships:\n",
    "    relations_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(relations_list)\n",
    "df[0:4]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Get All Relationships (TAXII)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 98,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Number of Relationships in ATT&CK\n",
      "6067\n"
     ]
    }
   ],
   "source": [
    "print(\"Number of Relationships in ATT&CK\")\n",
    "relationships = lift.get_relationships()\n",
    "print(len(relationships))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 99,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>created_by_ref</th>\n",
       "      <th>description</th>\n",
       "      <th>type</th>\n",
       "      <th>created</th>\n",
       "      <th>object_marking_refs</th>\n",
       "      <th>id</th>\n",
       "      <th>external_references</th>\n",
       "      <th>modified</th>\n",
       "      <th>source_ref</th>\n",
       "      <th>relationship_type</th>\n",
       "      <th>target_ref</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:49:28.744Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--380743e5-616c-4524-96e6-d545e5b6...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:28.744Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--92d7da27-2d91-488e-a00c-059dc1...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:35:24.376Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--919f6143-eb8c-48cd-8741-118040c3...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:29.135Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--00d0b012-8a03-410e-95de-5826bf...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:35:24.363Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--ee4d1b24-603f-40df-8f21-3c053fba...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:29.090Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5</td>\n",
       "      <td>[Soft Cell](https://attack.mitre.org/groups/G0...</td>\n",
       "      <td>relationship</td>\n",
       "      <td>2019-07-22T15:35:24.351Z</td>\n",
       "      <td>[marking-definition--fa42a846-8d90-4e51-bc29-7...</td>\n",
       "      <td>relationship--38be247c-74b0-42f3-964e-5f23ef42...</td>\n",
       "      <td>[{'source_name': 'Cybereason Soft Cell June 20...</td>\n",
       "      <td>2019-07-22T15:49:29.092Z</td>\n",
       "      <td>intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...</td>\n",
       "      <td>uses</td>\n",
       "      <td>attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                   created_by_ref  \\\n",
       "0  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "1  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "2  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "3  identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5   \n",
       "\n",
       "                                         description          type  \\\n",
       "0  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "1  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "2  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "3  [Soft Cell](https://attack.mitre.org/groups/G0...  relationship   \n",
       "\n",
       "                    created  \\\n",
       "0  2019-07-22T15:49:28.744Z   \n",
       "1  2019-07-22T15:35:24.376Z   \n",
       "2  2019-07-22T15:35:24.363Z   \n",
       "3  2019-07-22T15:35:24.351Z   \n",
       "\n",
       "                                 object_marking_refs  \\\n",
       "0  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "1  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "2  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "3  [marking-definition--fa42a846-8d90-4e51-bc29-7...   \n",
       "\n",
       "                                                  id  \\\n",
       "0  relationship--380743e5-616c-4524-96e6-d545e5b6...   \n",
       "1  relationship--919f6143-eb8c-48cd-8741-118040c3...   \n",
       "2  relationship--ee4d1b24-603f-40df-8f21-3c053fba...   \n",
       "3  relationship--38be247c-74b0-42f3-964e-5f23ef42...   \n",
       "\n",
       "                                 external_references  \\\n",
       "0  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "1  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "2  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "3  [{'source_name': 'Cybereason Soft Cell June 20...   \n",
       "\n",
       "                   modified  \\\n",
       "0  2019-07-22T15:49:28.744Z   \n",
       "1  2019-07-22T15:49:29.135Z   \n",
       "2  2019-07-22T15:49:29.090Z   \n",
       "3  2019-07-22T15:49:29.092Z   \n",
       "\n",
       "                                          source_ref relationship_type  \\\n",
       "0  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "1  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "2  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "3  intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...              uses   \n",
       "\n",
       "                                          target_ref  \n",
       "0  attack-pattern--92d7da27-2d91-488e-a00c-059dc1...  \n",
       "1  attack-pattern--00d0b012-8a03-410e-95de-5826bf...  \n",
       "2  attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd...  \n",
       "3  attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841...  "
      ]
     },
     "execution_count": 99,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relations_list = []\n",
    "for t in relationships:\n",
    "    relations_list.append(json.loads(t.serialize()))\n",
    "df = json_normalize(relations_list)\n",
    "df[0:4]"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.7.3"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}
